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SPACE SHUTTLE PROGRAM 

Space Shuttle Safety and Mission Assurance Office 
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INTRODUCTION 



• Understanding the early mission risk and progression of risk as a vehicle 
gains insights through flight is important 

- To the Shuttle Program to understand the impact of re-designs and 
operational changes on risk 

- To new programs to understand reliability growth and first flight risk 

• Estimation of Shuttle Risk Progression by flight 

- Uses Shuttle Probabilistic Risk Assessment (SPRA) and current knowledge to 
calculate early vehicle risk 

- Shows impact of major Shuttle upgrades 

- Can be used to understand first flight risk for new programs 


Note: This is a significant update to previous versions dated 
prior to February 7th, mainly due to crediting crew 
escape on STS-1 and re-evaluation of Space Shuttle 
Main Engine (SSME) 
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SCOPE 



• Estimating the Shuttle Risk for each flight is not feasible in the timeframe available, 
nor is it necessary because there may not be a noticeable difference between 
every flight 

- The following flights have been analyzed with the plan to fill in additional flights as 
necessary and as time permits 

• STS-1 - First Flight 

• STS-5 - Ejection Seats Disabled 

• STS-41B - Flight following STS-9 Auxiliary Power Unit (APU) fire 

• STS-5 1 L - Challenger 

• STS-26 - Return to Flight after Challenger 

• STS-29 - Post STS-27 Solid Rocket Booster (SRB) nose cap Thermal Protection System (TPS) loss 

• STS-49 - Drag Chute introduced. Endeavour enters service 

• STS-77 - Block I and IA engines. New High Pressure Oxidizer Turbopump (HPOTP) 

• STS-86 - First flight of new External Tank (ET) foam application process 

• STS-89 - Earliest to combine Block I IA engines. New Large Throat Main Combustion Chamger 
(LTMCC) 

• STS-103 - First flight of ET foam venting 

• STS-110 - First full Block II cluster, New High Pressure Fuel Turbopump (HPFTP) 

• STS-114 - Return to Flight after Columbia 

• STS-133 - Current Mission Risk 
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SPACE SHUTTLE PROGRAM 

Space Shuttle Safety and Mission Assurance Office 

NASA Johnson Space Center, Houston, Texas 

MAJOR ASSUMPTIONS 



• General 

- Modeling equivalent missions 

• International Space Station (ISS) mission with STS-119 mission duration and Micro Meteoroid and Orbital 
Debris (MMOD) (SPRA iteration 3.3 model) 

• So that risk differences are not about a particular mission objective 

• Easier to accomplish 

• Note that earlier missions although short in duration were dominated by risks which were independent of 
mission length (e.g. Reusable Solid Rocket Motor (RSRM), Ascent Debris) 

- Calculated STS-1 risk to be rounded to the same value with mission duration adjusted 

- No model logic changes only data changes 

- Crew error remains the same across the flights 

- MMOD risk is based upon STS-119 

• May be conservative for early flights since environment has been getting worse 

• May be non-conservative for later pre-Return To Flight (RTF) missions since Attitude TimeLine (ATL) adjustments 
were made post-RTF to reduce the MMOD risk 

- Crew Escape via ejection seats is modeled for STS-1 

• Ejection Seats are available for crew escape below ~80K feet which ~80 seconds on ascent and ~500 seconds 
on entry 

• Given a scenario that is assumed to be recoverable, ejection seats are given a 90% success rate (i.e. there is a 
10% chance that either crewmember will not survive) 

• Scenarios which involve TPS failure (e.g. Ascent Debris, MMOD) are assumed not to be recoverable with 
ejection seats 

• Scenarios which occur on Orbit are assumed not to be recoverable with ejection seats. 


6/24/2011 


4 



SPACE SHUTTLE PROGRAM 

Space Shuttle Safety and Mission Assurance Office 

NASA Johnson Space Center, Houston, Texas 

MAJOR ASSUMPTIONS (2) 



• Functional and Phenomenological Data 

- All Bayesian updated data was reviewed and discounts taken for design changes were evaluated for 
when they were implemented and separate failure rates/probabilities were calculated based upon 
removing the discounts 

• For example Orbiter APU failure to run is automatically assigned a failure rate of 4.36E-3/hr if STS-1 is selected 
and 1.76E-3/hr if STS-133 is selected because of failures on STS-7 and STS-71 which had design changes 
implemented by STS-133 

• Unique data events such as tires and icicles forming during water dumps were evaluated separately and flight 
effectivities were assigned 
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MAJOR ASSUMPTIONS 


• Ascent Debris Data 




- Five possible groups of failure probabilities are used for the probability of critical Ascent Debris damage: STS-27 
and prior, STS-28 through STS-85, STS-86 through STS-93, STS-103 through STS-114 and STS-121 and subs 

• This grouping was based upon significant changes in Orbiter damage which is used to assess ascent debris risk (additional 
information provided in backup) 

- Probability of Tile Damage using Ascent Debris Analysis Model (ADAM) 

• STS-27 and prior 

- Probability of critical tile damage based upon using frequency of damages on STS-6 through STS-27 input into ADAM, other inputs 
are based upon the Pre-RTF distributions documented in the iteration 3.2 notebook because dimensions and location of damages 
are unavailable 

• STS-28 through STS-85 

- Probability of critical tile damage based upon re-fitting ADAM input distributions based upon damages on STS-28 through STS-85 

• STS-86 through STS-93 

- Probability of critical tile damage based upon using frequency of damages on STS-86 through STS-93 input into ADAM, other inputs 
are based upon the Pre-RTF distributions documented in the iteration 3.2 notebook because dimensions and location of damages 
are unavailable for STS-87 which had the most significant damage 

• STS-103 through STS-114 

- Probability of critical tile damage based upon re-fitting ADAM input distributions based upon damages on STS-103 through STS-114 

• STS-121 and subs 

- Uses SPRA iteration 3.3 values which include return to flight improvements 

- Probability of Reinforced Carbon Carbon (RCC) damage 

• Probability of RCC damage STS-1 through STS-114 based upon using a Jeffreys prior Bayesian updated with 1 failure in 113 
missions as the average risk from STS-1 through STS-114 and then calculating the risk at each point based upon the ratio of 
the tile risk at that point to the average tile risk (more details provided in backup) 

- Since the STS-27 and prior tile risk was ~2.2X the average the RCC risk is assume to be 2.2X the RCC risk average 

• Probability of RCC damage STS-121 and subs uses SPRA iteration 3.3 values which include return to flight improvements 
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SPACE SHUTTLE PROGRAM 

Space Shuttle Safety and Mission Assurance Office 

NASA Johnson Space Center, Houston, Texas 

MAJOR ASSUMPTIONS (4) 



• Space Shuttle Main Engine (SSME) 

- Based upon evaluating the failures associated with a particular engine design, and each failure's root 
cause and its corrective actions. DAR life limits and additional inspection points have significant and 
"immediate" buy down in risk 

- All applicable failures are assumed to have been a risk present from the start of the SSME program. 

- Failure discounts due to differences in extended duration and ground testing power level are 
predominately associated with FMOF and FPL engines. 

• External Tank (ET) 

- Based upon iteration 3.3 because in general this analysis does not model external tank changes, 
except as they impact Ascent Debris 

- Does not consider implications from STS-133 stringer cracks 

• Reusable Solid Rocket Motor (RSRM) 

- Based upon 1 LOCV in 25 missions prior to Challenger and based upon iteration 3.3 for the remaining 
missions 

• The iteration 3.3 value is based upon expert elicitation, however discounting the failure based upon standard 
SPRA methodology would result in a similar value (~1:1300 vs. 1:1500) 

• Orbiter Flight Software 

- Based upon the report "Primary Avionics Software System (PASS) Probabilistic Risk Assessment" 
which uses historical data from the Space Shuttle Program (SSP), to determine the LOC probability 
due to a failure in the PASS aboard the Shuttle 

- Although new software updates can introduce new errors, more errors are eliminated and the risk 
trends down 
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RESULTS SUMMARY 
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STS-5 


and STS-29 


STS-89 


Flight Sequence # 

STS-l estimate includes crew escape with ejection seats (Risk is 1:9 without ejection seats) 


• STS-1 risk may have been higher due to unquantified risks 

- Underestimation of the SRB ignition overpressure which deformed FRCS oxidizer tank aft Z strut 

- Orbiter flight software risk is higher than estimated due to use of Ol-l estimate 

- TPS risk may be underestimated because ascent debris risk is based upon damages from STS-6 through STS-27 and on 
STS-1 there were numerous upper surface tile debonds 


• Around STS-114 the Shuttle Program started actively using the Shuttle PRA in program decisions 
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RESULTS SUMMARY (STS-1) 
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4.5E-02 

(1:22) 

Ascent debris strikes Orbiter Thermal Protection System (TPS) leading 
to LOCV on orbit or entry 

2 

1.6E-02 

(1:63) 

Solid Rocket Motor (SRM)-induced SRM catastrophic failure and 
ejection seats fail to save the crew 

3 

5.3E-03 

(1:190) 

Micrometeoroid and Orbital Debris (MMOD) strikes Orbiter on orbit 
leading to LOCV on orbit or entry 

4 

4.2E-03 

(1:240) 

Space Shuttle Main Engine (SSME)-induced SSME catastrophic failure 
and ejection seats fail to save the crew 

5 

3.1E-03 

(1:320) 

Orbiter APU Shaft Seal Fracture Entry and ejection seats fail to save 
the crew 

6 

2.4E-03 

(1:420) 

Auxiliary Power Unit (APU) external leak on entry and ejection seats 
fail to save the crew 

7 

1.7E-03 

(1:600) 

Orbiter flight software error results in catastrophic failure during 
ascent and ejection seats fail to save the crew 

8 

9.0E-04 

(1:1100) 

APU external leak on ascent and ejection seats fail to save the crew 

9 

8.8E-04 

(1:1100) 

Orbiter APU Shaft Seal Fracture Ascent and ejection seats fail to save 
the crew 

10 

6.3E-04 

(1:1600) 

SSME-induced benign shutdown of the SSME and ejection seats fail to 
save the crew 
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As stated previously STS-1 risk may have been higher due to unquantified risks 


As quantified STS-1 risk is dominated by Ascent debris and SRM risk 
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RESULTS SUMMARY (STS-5) 
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• Ejection seats disabled, going from 2 to 4 crew 

- RSRM, SSME, APU external leaks, Orbiter Flight Software and Crew error on entry increase 

• APU shaft seal fracture risk decreases due to changes in hydrazine detection criteria 
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RESULTS SUMMARY (STS-41B) 
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Orbiter flight software error results in catastrophic failure 
during ascent 
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Fuel supply failure to the OMS during orbit 
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• SSME Risk increases due to operating at a higher power level 

• Orbiter flight software risk decreases due to use of OI-2 vs. Ol-l 

• APU risk decreases due to improvements made post STS-9 APU fire (processing changes), 
external leaks drops from top 10 
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RESULTS SUMMARY (STS-51L) 
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• Orbiter flight software risk decreases due to use of OI-7 vs. OI-2 

• APU risk decreases due to improvements made post STS-9 APU fire (injector re-design) 

• SSME Benign shutdown risk decrease slightly due to decreases in Orbiter Flight software and 
APU 
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SPACE SHUTTLE PROGRAM 

Space Shuttle Safety and Mission Assurance Office 

NASA Johnson Space Center, Houston, Texas 

RESULTS SUMMARY (STS-26) 
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RSRM risk decreases from 1:25 to 1:1500 due to re-design post Challenger 

SSME risk decreases due to corrective actions following failures and engine upgrade from FPL to 
Phase II engine 

Orbiter flight software risk decreases due to use of OI-8B vs. OI-7 

Blue highlight indicates risk has changed 
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RESULTS SUMMARY (STS-29) 
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Ascent Debris risk decreases from 1:22 to 1:89 due to SRB nose cap TPS re-design post STS-27. After this mission 
the Orbiter damages are <100 damages per flight (with the exception of STS-86 through STS-93) 

SSME benign shutdown risk drops from the top 10 due to the Ascent debris risk reduction (i.e. reduction of critical 
TPS damage combined with SSME benign shutdown) 

OMS fuel supply risk decreases slightly due to He Regulator changes 

Blue highlight indicates risk has changed 
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RESULTS SUMMARY (STS-49) 
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Flight Sequence # 

Orbiter flight software risk decreases due to use of 01-21 vs. OI-8B 

SSME benign shutdown risk drops from top 10 due to Orbiter flight software risk decrease 
APU risk drops from the top 10 
- Orbiter APU shaft seal risk eliminated due to IAPU re-design 
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SULTS SUMMARY (STS-77) 
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Orbiter flight software risk decreases due to use of 01-24 vs. 01-21 

SSME risk decreases due to corrective actions following failures, engine upgrade from phase II to 
Block l/IA and the introduction of HPOTP-AT 
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ESULTS SUMMARY (STS-86) 
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STS-1 STS-41B STS-51L, STS-26 STS-49 STS-77 STS-86 

STS-5 and STS-29 


Flight Sequence # 

Ascent debris risk significantly increases due to new foam application process initiated ET acreage due to EPA 
banning of CFC-11 Freon. Average number of Orbiter damages increases from ~13 to ~45 with STS-87 experiencing 
109 lower surface damages 

Orbiter flight software risk decreases due to use of 01-26 vs. 01-24 
SSME Shutdown risk increased due to the increase in Ascent Debris 
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ESULTS SUMMARY (STS-89) 
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Rank 

Probability 

(1/n) 

Description 

1 

3.4E-02 

(1:30) 

Ascent debris strikes Orbiter Therma 1 Protection System 
(TPS) leading to LOCV on orbit or entry 

2 

5.3E-03 

(1:190) 

Micrometeoroid and Orbital Debris (MMOD) strikes Orbiter 
on orbit leadingto LOCV on orbit or entry 

3 

1.5E-03 

(1:680) 

Space Shuttle Main Engine (SSME)-induced SSME 
ca ta st ro p h i c fa i 1 u re 

4 

8.2E-04 

(1:1200) 

Crew error during entry 

5 

6.5E-04 

(1:1500) 

Reusable Solid Rocket Motor (RSRM)-induced RSRM 
catastrophic failure 

6 

4.5E-04 

(1:2200) 

Fuel supply failure to the OMS during orbit 

7 

3.7E-04 

(1:2700) 

Debonding of TPS during ascent 

8 

3.2E-04 

(1:3100) 

Orbiter flight software error results in catastrophicfailure 
during ascent 

9 

2.3E-04 

(1:4300) 

SRB booster separation motor debris strikes Orbiter 
windows 

io 

1.8E-04 

(1:5500) 

Mechanismsfailure 
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STS-1 STS-41B STS-51L, STS-26 
STS-5 and STS-29 
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STS-49 STS-77 


Flight Sequence # 


85 90 95 100 105 110 115 120 125 130 

STS-86 

STS-89 


SSME risk decreases due to engine upgrade from Block I and IA engine to Block II engine and the introduction of 
LTMCC 
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ULTS SUMMARY (STS-103) 
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Rank 

Probability 

(1/n) 

Description 

1 

7.9E-03 

(1:130) 

Ascent debris strikes Orbiter Thermal Protection System 
(TPS) leading to LOCV on orbit or entry 

2 

5.3E-03 

(1:190) 

Micrometeoroid and Orbital Debris (MMOD) strikes 
Orbiter on orbit leading to LOCV on orbit or entry 

3 

1.5E-03 

(1:680) 

Space Shuttle Main Engine (SSME)-induced SSME 
ca ta st ro p h i c fa i 1 u re 

4 

8.2E-04 

(1:1200) 

Crew error during entry 

5 

6.5E-04 

(1:1500) 

Reusable Solid Rocket Motor (RSRM)-induced RSRM 
ca ta st ro p h i c fa i 1 u re 

6 

4.5E-04 

(1:2200) 

Fuel supply failure to the OMS during orbit 

7 

3.7E-04 

(1:2700) 

Debonding of TPS during ascent 

8 

3.0E-04 

(1:3400) 

Orbiter flight software error results in catastrophicfailure 
during ascent 

9 

2.3E-04 

(1:4300) 

SRB booster separation motor debris strikes Orbiter 
windows 

10 

1.8E-04 

(1:5500) 

Mechanisms failure 
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STS-1 STS-41B STS-51L, STS-26 STS-49 STS-77 STS-86 STS-103 

STS-5 and STS-29 n STS-89 


Flight Sequence # 


Ascent Debris risk significantly decreases due to ET foam venting holes (average # of damages goes 
back down to ~16 from ~45) 

Orbiter flight software risk decreases due to use of OI-26B vs. 01-26 
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ULTS SUMMARY (STS-110) 
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Rank 

Probability 

(1/n) 

Description 

1 

7.9E-03 

(1:130) 

Ascent debris strikes Orbiter Thermal Protection System 
(TPS) leading to LOCV on orbit or entry 

2 

5.3E-03 

(1:190) 

Micrometeoroid and Orbital Debris (MMOD) strikes Orbiter 
on orbit leadingto LOCV on orbit or entry 

3 

1.6E-03 

(1:610) 

Space Shuttle Main Engine (SSME)-induced SSME 
catastrophicfailure 

4 

8.2E-04 

(1:1200) 

Crew error during entry 

5 

6.5E-04 

(1:1500) 

Reusable Solid Rocket Motor (RSRM)-induced RSRM 
catastrophicfailure 

6 

4.5E-04 

(1:2200) 

Fuel supply failure to the OMS 

7 

3.7E-04 

(1:2700) 

Debondingof TPS during ascent 

8 

2.6E-04 

(1:3800) 

Orbiter flight software error results in catastrophicfailure 
during ascent 

9 

1.8E-04 

(1:5500) 

Mechanisms failure 

10 

1.8E-04 

(1:5600) 

Ammonia Boiler System (ABS) isolation valve leaks on Orbit 
overcoolingthe H20 loops and crew is unableto prevent 
rupture of the interchanger resulting in Loss of All Cooling 
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1 5 10 15 20 25 30 35 40 45 50 55 60 65 70 75 80 85 90 95 100 105 110 115 120 125 130 

STS-1 STS-41B STS-51L, STS-26 STS-49 STS-77 STS-86 STS-103 STS-110 

STS-5 and STS-29 n STS-89 

Flight Sequence # 

Orbiter flight software risk decreases due to use of 01-29 vs. OI-26B 

SSME risk increases due to engine upgrade from Block IIA to Block II and the introduction of HPFTP- 
AT 

- There were three early HPFTP-AT related failures. Although heavily discounted due to improvements, risk still increases. 
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ULTS SUMMARY (STS-114) 
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Rank 

Probability 

(1/n) 

Description 

1 

5.1E-03 

(1:200) 

Micrometeoroid and Orbital Debris (MMOD) strikes Orbiter on 
orbit leading to LOCV on orbit or entry 

2 

1.7E-03 

(1:600) 

Ascent debris strikes Orbiter Thermal Protection System (TPS) 
leading to LOCV on orbit or entry 

3 

1.6E-03 

(1:610) 

Space Shuttle Main Engine (SSME)-induced SSME catastrophic 
f a i 1 u re 

4 

8.2E-04 

(1:1200) 

Crew error during entry 

5 

6.5E-04 

(1:1500) 

Reusable Solid Rocket Motor (RSRM)-induced RSRM catastrophic 
f a i 1 u re 

6 

2.3E-04 

(1:4400) 

Orbiter flight software error results in catastrophic failure during 
ascent 

7 

1.8E-04 

(1:5600) 

Ammonia Boiler System (ABS) isolation valve leaks on Orbit 
overcooling the H20 loops and crew is unable to prevent rupture 
of the interchanger resulting in Loss of All Cooling 

8 

1.7E-04 

(1:5900) 

Solid Rocket Booster (SRB) APU shaft seal fracture 

9 

1.5E-04 

(1:6500) 

SRB booster separation motor debris strikes Orbiter windows 

io 

1.3E-04 

(1:7600) 

Flow Control Valve (FCV) poppet failure causes rupture in the 
GH2 re-pressurization line 
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STS-1 STS-41B STS-51L, STS-26 STS-49 STS-77 STS-86 STS-103 STS-1 10 STS-114 

STS-5 and STS-29 n STS-89 


Flight Sequence # 

MMOD risk decreases due to FD2 inspection with repair and crew rescue (no late inspection) 
Ascent debris risk decreases due to FD2 inspection with repair and crew rescue 
Orbiter flight software risk reduction due to use of 01-30 vs. 01-29 
TPS debond risk drops from top 10 due to FD2 inspection with repair and crew rescue 
OMS fuel supply risk drops from top 10 due to crew rescue capability 


Blue highlight indicates 
risk has changed 
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SULTS SUMMARY (STS-133) 
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Rank 

Probability 

(1/n) 

Description 

1 

3.3E-03 

(1:300) 

Micrometeoroid and Orbital Debris (MMOD) strikes Orbiter on 
orbit leading to LOCV on orbit or entry 

2 

1.5E-03 

(1:650) 

Space Shuttle Main Engine (SSME)-induced SSME catastrophic 
f a i 1 u re 

3 

1.1E-03 

(1:940) 

Ascent debris strikes Orbiter Thermal Protection System (TPS) 
leading to LOCV on orbit or entry 

4 

8.2E-04 

(1:1200) 

Crew error during entry 

5 

6.5E-04 

(1:1500) 

Reusable Solid Rocket Motor (RSRM)-induced RSRM catastrophic 
f a i 1 u re 

6 

2.3E-04 

(1:4400) 

Flight Software error result in catastrophic failure during ascent 

7 

1.8E-04 

(1:5600) 

Ammonia Boiler System (ABS) isolation valve leaks on Orbit 
overcooling the H20 loops and crew is unable to prevent rupture 
of the interchanger resulting in Loss of All Cooling 

8 

1.7E-04 

(1:5900) 

Solid Rocket Booster (SRB) APU shaft seal fracture 

9 

1.3E-04 

(1:7600) 

Flow Control Valve (FCV) poppet failure causes rupture in the GH2 
re-pressurization line 

io 

1.3E-04 

(1:7700) 

Collision of the Orbiter with the International Space Station (ISS) 
during rendezvous and docking 
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STS-1 STS-41B STS-51L, STS-26 STS-49 STS-77 STS-86 STS-103 STS-110 STS-114 STS-133 

STS-89 


STS-5 


and STS-29 


Flight Sequence # 


MMOD risk decreases due to late inspection with improved repair and crew rescue 
SSME risk decreases due to addition of Advanced Health Monitoring System (AHMS) 

Ascent debris decrease due improved debris environment and improved repair and crew rescue 
SRB booster separation motor debris drops from the top 10 due to process improvements 

Blue highlight indicates risk has changed 
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RESULTS SUMMARY 




Ejection Seats Disabled 
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-Q 
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SSME risk increase due to higher power level 

APU risk reduction post STS-9 (process improvement) i 

Orbiter flight software using 01-2 
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I • APU risk reduction post STS-9 (re-design) 
! • Orbiter flight software using OI-7 


MMOD risk reduction due to addition of late inspection 
Ascent debris risk reduction improved debris 
environment and improved repair 
SSME uncontained risk reduction with Block II engine 
with AHMS 


1:10 

— — 


SRM risk reduction post Challenger 
SSME risk reduction with Phase II engine 
Orbiter flight software using OI-8B 


* Ascent Debris risk increase due to new ET 
foam application process 

• Orbiter flight software using 01-26 


Ascent debris and TPS Debond risk reduction 
with inspection, repair and crew rescue 
Orbiter flight software risk using 01-30 


SSME Risk reduction with Block IIA engines 


1:17 


Ascent debris risk 
reduction from SRB 
nose cap TPS re- 
design post STS-27 


1:21 


• Orbiter flight software using 01-21 

* Risk reductions due to IAPU 
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...1:38 


SSME Risk reduction with 
Block I & IA engines 
Orbiter flight software 
using 01-24 
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Ascent debris risk reduction due to venting holes in 
ET foam 

Orbiter flight software using OI-26B 


SSME risk slight increase with Block 
II engines 

Orbiter flight software using 01-29 
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STS-1 STS-41B STS-51L, STS-26 STS-49 STS-77 STS-86 STS-103 STS-110 STS-114 STS-133 


STS-5 


and STS-29 


Flight Sequence # 


STS-89 


• There was an 8% likelihood of making it to flight 25 without LOCV and a 8% likelihood of making it 
from flight 26 to flight 113 without LOCV using the values on this chart 

- We were lucky, there were a number of close calls (e.g. STS-9 APU fire, STS-27 Ascent Debris, STS-95 drag chute door) 
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HOW TOP 10 RISKS CHANGE OVER TIME 



Solid Rocket Motor (SRM)-induced 
SRM catastrophic failure 
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Flight Sequence # 


Orbiter APU shaft seal fracture on entry 
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Flight Sequence# 


Orbiter flight software error results in 
catastrophic failure during ascent 
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SSME-induced SSME uncontained 
failure 
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SSME-induced benign engine shutdown 
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MMOD strikes Orbiter on orbit 
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Flight Sequence # 


Orbiter APU external leak on entry 
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Flight Sequence # 




Red outline indicates a risk that is always in the top 10 risks 

Additional details on top 10 risks for each flight provided in backup 
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HOW TOP 10 RISKS CHANGE OVER TIME (2) 


Orbiter APU shaft seal fracture on 
ascent 
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Crew error during entry 
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SRB booster separation motor debris 
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MPS FCV poppet failure causes rupture 
in the GH2 re-pressurization line 
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Fuel supply failure to the OMS during 
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ABS isolation valve leaks resulting 
loss of all cooling 
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Collision of the Orbiter with the ISS 
during rendezvous and docking 
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Additional details on top 10 risks for each flight provided in backup 
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HOW TOP 10 RISKS CHANGE OVER TIME (3) 


Mechanism Failure 
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RESULTS SUMMARY 
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Shuttle PRA 
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1 5 10 15 20 25 30 35 40 45 50 55 60 65 70 75 80 85 90 95 100 105 110 115 120 125 130 


STS-1 STS-41B STS-51L, STS-26 
STS-5 and STS-29 


STS-49 STS-77 STS-86 STS-1 03 STS-1 10 STS-1 14 STS-1 33 

Flight Sequence # 


• Chart shows previous Shuttle risk estimates in red, with the Shuttle PRA being the most comprehensive 
PRA initiated by the Shuttle Program. 

- Earlier studies were not necessarily PRAs or had limited scope (e.g. Wiggins analysis was largely based upon expert 
opinion and Galileo Study was Ascent only) 

• Around STS-114 the Shuttle Program started actively using the Shuttle PRA in program decisions 
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ORBITER HARDWARE / SOFTWARE RESULTS SUMMARY 


APU risk reduction for shaft seal 
with process improvements 
Ejection Seats disabled 
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• APU risk reduction post STS-9 (process) 

■ Orbiter flight software using 01-2 

■ DPS risk reduction due to 6XXX series MDMs 
dominates after STS-41B 


APU risk reduction post STS-9 (re-design) 
Orbiter flight software using 01-7 


TPS Debond risk reduction with inspection, repair and crew rescue 

Orbiter flight software risk using OI-SO 

APU risk reduction due to process changes 

Mechanisms risk reduction due to design and process changes 

RCS thruster risk reduction due to process changes 


i • Orbiter flight software using OI-8B 


Orbiter flight software using OI-26B 


; * OMS and RCS Fuel leaks risk reduction due 
! to manufacturing process changes 


No change, impacted by j- 
SSME decrease 
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• Orbiter flight software using 01-21 
\ • Risk reductions due to IAPU \ 

I • DPS risk reduction due to updated GPC design \ : 
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APU risk reduction due 
to process changes' 


Orbiter flight software 
using 01-29 


Orbiter flight software 
using 01-24 
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Orbiter flight software 
using 01-26 
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and STS-29 


Flight Sequence # 


STS-89 


There was an 50% likelihood of making it to flight 133 without LOCV due to Orbiter 
h a rd wa re/s of t wa re 
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CONCLUSIONS 



• Using this analysis technique shows that Shuttle average mission risk has 
improved by approximately an order of magnitude over the life of the 
program 

• Risk reductions are the result of re-designs or operational changes, the 
most significant of which follow major events (e.g. Challenger, Columbia, 
STS-27 TPS damage) 

• This analysis is different than traditional reliability growth models which 
show improvement with each additional flight 

- Risk can increase due to trading safety margin for increased performance (e.g. SSME) or 
due to external events (e.g. EPA ban of CFC-11 Freon) 

- Significant improvement does not happen without time and money to re-design risk 
significant hardware (e.g. Block IIA SSME, IAPU) or without impacts to mission (e.g. ATL 
adjustments, inspections) 

- Need to understand what the drives the risk in order to reduce the risk (e.g. ascent 


debris) 
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FUTURE WORK 



• Quantify additional missions to fill in gaps starting with the following 

- STS- 107 Columbia 

- STS-6 First 104% SSME flight 

- Additional flights to fill in gaps: STS-41, STS-68 and STS-124 

• Consider including changing MMOD risk 

- MMOD was calculated starting at STS-50, however damage criteria has changed 
overtime making it difficult to assess consistently over time 

• Provide additional risk progressions similar to Orbiter Hardware to show how 
various systems are changing over time 
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BACKUP 
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SHUTTLE PRA EVOLUTION 




Two of the earliest Shuttle risk assessments which are not included below are the "Wiggins Analysis" and the 
"Weatherwax Analysis" 

- The "Wiggins Analysis" conducted by the J. H. Wiggins Co. of Redondo Beach, Calif, between 1979 and 1982 put the 
overall risk of losing a shuttle between 1:1000 and 1:10000 and was mainly based upon engineering judgment 

- The "Weatherwax Analysis" prepared by R.K. Weatherwax of Sierra Energy and Risk Assessment Inc. in 1983 put the 
overall risk of losing a shuttle at ~1:35 was a review of the "Wiggins Analysis" with more of a data based approach 

The Shuttle PRA has been incrementally developed over many years 

- Mission Phases (Ascent, Orbit, Entry) 

- Number of Systems Modeled 

- Risk Factors considered (systems failures, phenomenological failures, human reliability, external events, etc.) 

The advent of established NASA requirements, standards, and tools - as well as the development of a strong 
shuttle program PRA team have resulted in significant recent progress 


Mean Probability of LOCV 


1:70 1:55 1:73 1:131 1:234 


Proof of 
concept 
study for 
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PRA to 
Space 
Shuttle. 
Scope was 
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results to 
reflect then 
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Shuttle. 
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Limited 
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ascent and 
entry 
/landing. 
Included only 
three Orbiter 
systems and 
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Propulsion 
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Unpublished 
analysis using 
QRAS. No 
integration of 
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three Orbiter 
systems and 
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Propulsion 

elements. 


1:78 
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Iteration 3.0 
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with all 
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modeling, 

corrected 
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of OSMA peer 


inspection 
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Orbiter 

review 


with repair 

and docking. 

hydrazine 

Orbiter flight 

systems, 
MMOD and 
human 
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and crew 
rescue. 
Updated 
MMOD and 
ascent debris 
modeling 
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functional 
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and ascent 
debris 

leak 
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software, 
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Orbiter 

review 
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comments 


review team. 
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IMPACT OF ROGERS COMMISION 
RECOMMENDATIONS ON RISK 

• SRM Re-design 

- Significantly reduced risk from ~1:25 to ~1:1500 




• Impact of the Majority of the Recommendations are Difficult to Assess with PRA 

- Independent Oversight _ Safety Organization 

- Management Structure _ Improved Communication 

- Astronauts in Management _ Flight Rate 

- Shuttle Safety Panel _ Maintenance Safeguards 

- Criticality review of CILs and Hazard 


• Landing Safety 

- From the Shuttle PRA perspective there was minimal impact to the overall risk 

• Especially the suggested improvements in Abort landing sites 

• Individual contributors may have improved by an order of magnitude (e.g. brakes going from IE-4 to IE-5) 
but were not risk drivers 


• Launch Abort and Crew Escape 

- From the Shuttle PRA perspective improving 2 or 3 engine out capability does not impact the 
model since model assumes the loss of 2 or 3 engines is catastrophic and it is still not a risk driver 

- The Shuttle PRA does not include the Crew Escape System, from the Shuttle PRA perspective it is 
assumed if there is a fire/explosion there is LOCV, no credit is given to crew survivability 
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IMPACT OF ROGERS COMMISION 
RECOMMENDATIONS ON RISK (2) 



• Other Safety Considerations (not formal recommendations) 

- 17 inch disconnect valve exposure to inadvertent closure 

• Current Shuttle PRA does not give credit for addition of latch to 17 inch disconnect but valve 
transfers close is not a significant risk driver ~5.5E-6 since exposure time limited 

- ET vent valves indicate closed but valve is open 

• Valve was never re-designed but there was extensive analysis and testing to show that the 
risk is low. The PRA supports the determination that this was a low risk 
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IMPACT OF CAIB RECOMMENDATIONS ON RISK 



• Thermal Protection System 

- Risk reduced from ~1:130 to ~1:940, almost an order of magnitude after all the changes 

• ET Debris reduction 

• Orbiter hardening 

• Inspection 

• Repair 

• Crew Rescue 

• Imaging 

- Relates to TPS risk reduction and MMOD risk reduction 

• Orbiter Sensor Data 

— Relates to TPS risk reduction and MMOD risk reduction 

• Test and Qualify Bolt Catchers 

- Relates to TPS risk reduction because it was a potential debris source 

• Require Shuttle to have same level of Safety for MMOD as ISS and change 
guidelines to requirements 

- ATL adjustments significantly reduced the MMOD risk (~50%) however this risk reduction is not 
highlighted in the risk progression because risk is based upon STS-119 ATL 

- Risk reduced from ~1:190 to ~1:300 with late inspection implementation on STS-121 
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IMPACT OF CAIB RECOMMENDATIONS ON RISK (2) 



• Impact of the Majority of the Recommendations are Difficult to Assess 
with PRA 

- Wiring Inspections 

- Require at Least Two Employees Attend All Closeouts 

- Consistently define Foreign Object Debris (FOD) as FOD 

- Scheduling Pressure 

- MMT Training 

- Organization 

- Recertification 

- Closeout Photos / Drawing System 
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MAJOR ASSUMPTIONS (STS-1) 



• Crew Escape via ejection seats is modeled for STS-1 

- Ejection Seats are available for crew escape below ~80l< feet which ~80 seconds on ascent and ~500 seconds on entry 

- Given a scenario that is assumed to be recoverable, ejection seats are given a 90% success rate (i.e. there is a 10% 
chance that either crewmember will not survive) 

- Scenarios which involve TPS failure (e.g. Ascent Debris, MMOD) are assumed not to be recoverable with ejection seats 

- Scenarios which occur on Orbit are assumed not to be recoverable with ejection seats. 

• Solid Rocket Motor (SRM) risk based upon 1 LOCV in 25 missions 

- Mission specific risk is not modeled and it is assumed that LOCV could have occurred on any flight prior to when the re- 
designs were implemented (i.e. any previous mission could have had freezing temperatures) 

• Orbiter flight software risk using Operational Increment 1 (Ol-l) which flew on STS-7 

- This is the earliest estimate that is available, risk may be higher 

• SSME risk based upon evaluation of First Manned Orbital Flight (FMOF) operational and testing history using 
SPRA methodology. 

- Credit given for SSME operating at 100% Rated Power Level (RPL) 

• Ascent Debris tile risk based upon updated the ADAM model to sample from number of damages from STS-6 
through STS-27 

- # of lower surface damages vary considerably making it difficult to fit a single distribution (7 hits to 272 hits) 

- Remaining ADAM distributions based upon the Pre-RTF distributions documented in the iteration 3.2 notebook 

• Ascent Debris RCC risk is assumed to be 2.2 times the average RCC risk based upon the ratio of above 
calculated tile risk to average tile risk 

• Orbiter APU risk includes catastrophic shaft seal failure and higher probability of hydrazine leakage leading 
to fire and explosion 

• Bulk of data adjusted to remove any discounts of failures for both phenomenological leaks as well as 
functional failures 
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MAJOR ASSUMPTIONS (STS-5) 



• Crew Ejection Seats disabled, going from 2 to 4 crew 

• SRM risk based upon 1 LOCV in 25 missions 

• Orbiter flight software risk using Ol-l 

• Ascent Debris risk is the same as STS-1 

- Does not reduce until after STS-27 

• Orbiter APU process improvements to reduce shaft seal fracture risk 

- Due to changes in hydrazine detection criteria 

• Bulk of data adjusted to remove any discounts of failures that had not been "fixed" 


by STS-5 
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MAJOR ASSUMPTIONS (STS-41B) 



• SRM risk based upon 1 LOCV in 25 missions 

• Orbiter flight software risk using 01-2 

• SSME risk based upon evaluation of Full Power Level (FPL) operational and test 
history using SPRA methodology 

• Ascent Debris risk is the same as STS-1 

- Does not reduce until after STS-27 

• Orbiter APU Hydrazine leakage reduced due to processing improvements following 


• Bulk of data adjusted to remove any discounts of failures that had not been "fixed" 
by STS-41B 


STS-9 
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MAJOR ASSUMPTIONS (STS-51L) 



• SRM risk based upon 1 LOCV in 25 missions 

• Orbiter flight software risk using 01-7 

• SSME risk based upon evaluation of Full Power Level (FPL) operational and test 
history using SPRA methodology 

• Ascent Debris risk is the same as STS-1 

- Does not reduce until after STS-27 

• Orbiter APU Hydrazine leakage reduced due to re-design of injector 

• Bulk of data adjusted to remove any discounts of failures that had not been "fixed" 
by STS-51L 
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MAJOR ASSUMPTIONS (STS-26) 



• Reusable Solid Rocket Motor (RSRM) risk based upon SPRA iteration 3.3 

• SSME risk based upon evaluation of Phase II operational and test history using 
SPRA methodology 

• Ascent Debris risk is the same as STS-1 

- Does not reduce until after STS-27 

• Orbiter APU Hydrazine leakage reduced due to re-design of injector 

• Orbiter flight software risk using OI-8B 

• Bulk of data adjusted to remove any discounts of failures that had not been "fixed" 
by STS-26 
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MAJOR ASSUMPTIONS (STS-29) 



• RSRM risk based upon SPRA iteration 3.3 

• SSME risk based upon evaluation of Phase II operational and test history 
using SPRA methodology 

• Ascent Debris tile risk based upon re-fitting ADAM input distributions 
based upon damages on STS-28 through STS-85 and running model with 
no repair 

— Risk is lower because of "fixes" following STS-27 


• MSA-1 ablative material had a flatwise tensile strength of 50 PSI; this was deemed inadequate. 

• The ablative material was changed to MSA-2 with an flatwise tensile strength of 75 PSI for STS-29 and 


• Ascent Debris RCC risk is assumed to be 0.55 times the average RCC risk 
based upon the ratio of above calculated tile risk to average tile risk 

• Orbiter flight software risk using OI-8B 

• Bulk of data adjusted to remove any discounts of failures that had not 


subs 


been "fixed" by STS-29 
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MAJOR ASSUMPTIONS (STS-49) 



• RSRM risk based upon SPRA iteration 3.3 

• SSME risk based upon evaluation of Phase II operational and test history 
using SPRA methodology 

• Ascent Debris risk is the same as STS-29 

• Orbiter flight software risk using 01-21 

• APU risk based upon IAPU 

• Bulk of data adjusted to remove any discounts of failures that had not 
been "fixed" by STS-49 
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MAJOR ASSUMPTIONS (STS-77) 



• RSRM risk based upon SPRA iteration 3.3 

• SSME risk based upon evaluation of Block I and Block IA operational and 
test history using SPRA methodology 

• Ascent Debris risk is the same as STS-29 

• Orbiter flight software risk using 01-24 

• Bulk of data adjusted to remove any discounts of failures that had not 
been "fixed" by STS-77 
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MAJOR ASSUMPTIONS (STS-86) 



• RSRM risk based upon SPRA iteration 3.3 

• SSME risk based upon evaluation of Block I and Block IA operational and 
test history using SPRA methodology 

• Ascent Debris tile risk based upon using frequency of damages on STS-86 
through STS-93 input into ADAM, other inputs are based upon the Pre-RTF 
distributions documented in the iteration 3.2 notebook with no repair 

- Dimensions and location of damages are unavailable for STS-86 which had the 
most significant damage 

— Risk is significantly higher because of new foam application process 
implemented on STS-86 

• Ascent Debris RCC risk is assumed to be 1.7 times the average RCC risk 
based upon the ratio of above calculated tile risk to average tile risk 

• Orbiter flight software risk using 01-26 

• Bulk of data adjusted to remove any discounts of failures that had not 


been "fixed" by STS-86 
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MAJOR ASSUMPTIONS (STS-89) 



• RSRM risk based upon SPRA iteration 3.3 

• SSME risk based upon evaluation of Block 1 1 A operational and test history 
using SPRA methodology 

• Ascent Debris risk is the same as STS-86 

• Orbiter flight software risk using 01-26 

• Bulk of data adjusted to remove any discounts of failures that had not 
been "fixed" by STS-89 
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MAJOR ASSUMPTIONS (STS-103) 



• RSRM risk based upon SPRA iteration 3.3 

• SSME risk based upon evaluation of Block 1 1 A operational and test history 
using SPRA methodology 

• Ascent Debris tile risk based upon re-fitting ADAM input distributions 
based upon damages on STS-103 through STS-114 and running model with 
no repair 

- Risk is lower because of implementation of ET TPS venting holes on STS-103 
(risk goes down to just below where it was before EPA banned CFC-11 Freon) 

• Ascent Debris RCC risk is assumed to be 0.39 times the average RCC risk 
based upon the ratio of above calculated tile risk to average tile risk 

• Orbiter flight software risk using OI-26B 


• Bulk of data adjusted to remove any discounts of failures that had not 
been "fixed" by STS-103 
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MAJOR ASSUMPTIONS (STS-110) 



• RSRM risk based upon SPRA iteration 3.3 

• SSME risk based upon evaluation of Block II operational and test history 
using SPRA methodology. 

• Ascent Debris risk is the same as STS-103 

• Orbiter flight software risk using 01-29 

• Bulk of data adjusted to remove any discounts of failures that had not 
been "fixed" by STS-110 
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ASSUMPTIONS (STS-114) 



• RSRM risk based upon SPRA iteration 3.3 

• SSME risk based upon evaluation of Block II operational and test history 
using SPRA methodology. 

• Ascent Debris risk is the same as STS-110 except that it includes inspection 
and repair 

- Inspection and repair based upon SPRA iteration 2.2 

• MMOD includes a FD2 inspection but no late inspection 

— No IDC for nose cap therefore assumed to be equivalent to LDRI of WLE RCC. 

• Orbiter flight software risk using 01-30 

• Risk due to BSM debris is reduced due to process improvements 


• Bulk of data adjusted to remove any discounts of failures that had not 
been "fixed" by STS-114 
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ASSUMPTIONS (STS-133) 



• Risk equivalent to SPRA iteration 3.3 

- SSME risk includes risk reduction due to Advanced Health Monitoring System 
(AHMS) 

— MMOD now includes late inspection 

— Repair and inspection estimates improved over STS-114 estimates 
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(5 th 1:23, Mean 1:12. 95 th 1:7) 



Rank 

% of Total 

Cumulative 

Total 

Probability 

(1/n) 

Description 

1 

53.5 

53.5 

4.5E-02 

(1:22) 

Ascent debris strikes Orbiter Thermal Protection System (TPS) leading to LOCV on 
orbit or entry 

2 

19.2 

72.8 

1.6E-02 

(1:63) 

Solid Rocket Motor (SRM)-induced SRM catastrophic failure and ejection seats fail 
to save the crew 

3 

6.4 

79.2 

5.3E-03 

(1:190) 

Micrometeoroid and Orbital Debris (MMOD) strikes Orbiter on orbit leading to 
LOCV on orbit or entry 

4 

5.0 

84.2 

4.2E-03 

(1:240) 

Space Shuttle Main Engine (SSME)-induced SSME catastrophic failure and ejection 
seats fail to save the crew 

5 

3.7 

87.9 

3.1E-03 

(1:320) 

Orbiter APU Shaft Seal Fracture Entry and ejection seats fail to save the crew 

6 

2.9 

90.8 

2.4E-03 

(1:420) 

Auxiliary Power Unit (APU) external leak on entry and ejection seats fail to save 
the crew 

7 

2.0 

92.8 

1.7E-03 

(1:600) 

Orbiter flight software error results in catastrophic failure during ascent and 
ejection seats fail to save the crew 

8 

1.1 

93.9 

9.0E-04 

(1:1100) 

APU external leak on ascent and ejection seats fail to save the crew 

9 

1.1 

95.0 

8.8E-04 

(1:1100) 

Orbiter APU Shaft Seal Fracture Ascent and ejection seats fail to save the crew 

10 

0.8 

95.7 

6.3E-04 

(1:1600) 

SSME-induced benign shutdown of the SSME and ejection seats fail to save the 
crew 


• STS-l Risk driven by Ascent Debris and SRM risk 


• Ejection Seats reduce risk from 1:9 to 1:12 (22% reduction) 
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STS-5 RESULTS 


(5 th 1:20, Mean 1:10, 95 th 1:5) 



Rank 

%of 

Total 

Cumulati 
ve Total 

Probabil 

ity 

(1/n) 

Description 

Delta Risk 
from STS-1 

1 

42.5 

42.5 

4.5E-02 

(1:22) 

Ascent debris strikes Orbiter Thermal Protection System (TPS) leading to LOCV on 
orbit or entry 

None 

2 

38.2 

80.7 

4.0E-02 

(1:25) 

Solid Rocket Motor (SRM)-induced SRM catastrophic failure 

^1:42 

3 

5.1 

85.8 

5.3E-03 

(1:190) 

Micrometeoroid and Orbital Debris (MMOD) strikes Orbiter on orbit leading to 
LOCV on orbit or entry 

None 

4 

4.6 

90.5 

4.9E-03 

(1:210) 

Space Shuttle Main Engine (SSME)-induced SSME catastrophic failure 

^1:1500 

5 

2.5 

93.0 

2.6E-03 

(1:380) 

Auxiliary Power Unit (APU) external leak on entry 

^1:4500 

6 

1.7 

94.7 

1.8E-03 

(1:560) 

Orbiter flight software error results in catastrophic failure during ascent 

^1:7000 

7 

1.6 

96.3 

1.7E-03 

(1:590) 

Orbiter APU Shaft Seal Fracture Entry 

4,1:710 

8 

0.9 

97.3 

9.8E-04 

(1:1000) 

APU external leak on ascent 

^1:13000 

9 

0.8 

98.0 

8.2E-04 

(1:1200) 

Crew error during entry 

1^1:3400 

10 

0.7 

98.7 

7.1E-04 

(1:1400) 

SSME-induced benign shutdown of the SSME 

^1:14000 


• Ejection Seats disabled, most of the top risks increase 

• APU shaft seal fracture risk decreases changes in hydrazine detection criteria 
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STS-41B RESULTS 


(5 th 1:22, Mean 1:10. 95 th 1:5) 



Rank 

%of 

Total 

Cumulative 

Total 

Probability 

(1/n) 

Description 

Delta Risk 
from STS-5 

1 

43.6 

43.6 

4.5E-02 

(1:22) 

Ascent debris strikes Orbiter Thermal Protection System (TPS) leading 
to LOCV on orbit or entry 

None 

2 

39.1 

82.7 

4.0E-02 

(1:25) 

Solid Rocket Motor (SRM)-induced SRM catastrophic failure 

None 

3 

5.7 

88.4 

5.9E-03 

(1:170) 

Space Shuttle Main Engine (SSME)-induced SSME catastrophic failure 

tl:1000 

4 

5.2 

93.7 

5.3E-03 

(1:190) 

Micrometeoroid and Orbital Debris (MMOD) strikes Orbiter on orbit 
leading to LOCV on orbit or entry 

None 

5 

0.7 

94.4 

1.7E-03 

(1:590) 

Orbiter APU Shaft Seal Fracture Entry 

None 

6 

1.7 

96.0 

1.7E-03 

(1:600) 

Orbiter flight software error results in catastrophic failure during 
ascent 

4,1:7700 

7 

1.6 

97.7 

8.2E-04 

(1:1200) 

Crew error during entry 

None 

8 

0.8 

98.5 

7.2E-04 

(1:1400) 

SSME-induced benign shutdown of the SSME 

4^1:1 10000 

9 

0.5 

98.9 

4.8E-04 

(1:2100) 

Orbiter APU Shaft Seal Fracture Ascent 

None 

10 

0.5 

99.4 

4.7E-04 

(1:2100) 

Fuel supply failure to the OMS during orbit 

None 


SSME risk increased due to additional test failures of the FPL engine that are due in part to a higher operational power level 


Orbiter flight software risk decreases due to use of 01-2 vs. 01-1 


APU external leak risk decreases and drops from top 10 due to process improvements after STS-9 APU fire (full re-design not in 
place) 
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STS-51L RESULTS 


(5 th 1:23, Mean 1:10. 95 th 1:5) 



Rank 

%of 

Total 

Cumulative 

Total 

Probability 

(1/n) 

Description 

Delta Risk 
from STS-41B 

1 

45.0 

45.0 

4.5E-02 

(1:22) 

Ascent debris strikes Orbiter Thermal Protection System (TPS) leading to 
LOCV on orbit or entry 

None 

2 

40.4 

85.4 

4.0E-02 

(1:25) 

Solid Rocket Motor (SRM)-induced SRM catastrophic failure 

None 

3 

5.4 

90.8 

5.3E-03 

(1:190) 

Micrometeoroid and Orbital Debris (MMOD) strikes Orbiter on orbit 
leading to LOCV on orbit or entry 

None 

4 

5.2 

96.1 

5.2E-03 

(1:190) 

Space Shuttle Main Engine (SSME)-induced SSME catastrophic failure 

4/1:1500 

5 

1.1 

97.1 

1.1E-03 

(1:950) 

Orbiter flight software error results in catastrophic failure during ascent 

4/1:1600 

6 

0.8 

98.0 

8.2E-03 

(1:1200) 

Crew error during entry 

None 

7 

0.6 

98.5 

5.5E-04 

(1:1800) 

SSME-induced benign shutdown of the SSME 

4/1:6100 

8 

0.5 

99.0 

4.7E-04 

(1:2100) 

Fuel supply failure to the OMS during orbit 

None 

9 

0.4 

99.4 

3.7E-04 

(1:2700) 

Debonding of TPS during ascent 

None 

10 

0.3 

99.7 

3.4E-04 

(1:2900) 

Orbiter APU Shaft Seal Fracture Entry 

1:730 


• STS-51L Risk equally driven by SRM and Ascent Debris risk 

• Risk reduction in SSME due to improvements in FPL engine 

• Orbiter APU risk on ascent dropped from the top 10 due to re-design post STS-9 

• Risk reduction in Orbiter flight software (01-7 vs. 01-1) 
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NASA Johnson Space Center, Houston, Texas 

STS-26 RESULTS 


(5 th 1:36, Mean 1:17. 95 th 1:8) 



Rank 

%of 

Total 

Cumulative 

Total 

Probability 

(1/n) 

Description 

Delta Risk 
from STS-51L 

1 

73.7 

73.7 

4.5E-02 

(1:22) 

Ascent debris strikes Orbiter Thermal Protection System (TPS) leading to 
LOCV on orbit or entry 

None 

2 

8.8 

82.5 

5.3E-03 

(1:190) 

Micrometeoroid and Orbital Debris (MMOD) strikes Orbiter on orbit leading 
to LOCV on orbit or entry 

None 

3 

5.6 

88.1 

3.4E-03 

(1:290) 

Space Shuttle Main Engine (SSME)-induced SSME catastrophic failure 

vH:560 

4 

1.4 

89.4 

8.2E-04 

(1:1200) 

Crew error during entry 

None 

5 

1.3 

90.7 

7.6E-04 

(1:1300) 

Orbiter flight software error results in catastrophic failure during ascent 

1:3400 

6 

1.1 

91.8 

6.5E-04 

(1:1500) 

Reusable Solid Rocket Motor (RSRM)-induced RSRM catastrophic failure 

4,1:25 

7 

0.8 

92.5 

4.7E-04 

(1:2100) 

Fuel supply failure to the OMS during orbit 

None 

8 

0.6 

93.2 

3.7E-04 

(1:2700) 

Debonding of TPS during ascent 

None 

9 

0.6 

93.7 

3.4E-04 

(1:2900) 

Orbiter APU Shaft Seal Fracture Entry 

None 

10 

0.4 

94.2 

2.6E-04 

(1:3800) 

SSME-induced benign shutdown of the SSME 

1:3400 


• RSRM risk decreased due to re-design post Challenger 

• SSME Risk decreased due to risk reduction with Phase II engine 

• Risk reduction in Orbiter flight software (OI-8B vs. 01-7) 
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Space Shuttle Safety and Mission Assurance Office 

NASA Johnson Space Center, Houston, Texas 

STS-29 RESULTS 


(5 th 1:57, Mean 1:35. 95 th 1:23) 



Rank 

%of 

Total 

Cumulative 

Total 

Probability 

(1/n) 

Description 

Delta Risk 
from STS-26 

1 

40.2 

40.2 

1.1E-02 

(1:89) 

Ascent debris strikes Orbiter Thermal Protection System (TPS) leading to 
LOCV on orbit or entry 

4/1:35 

2 

19.1 

59.3 

5.3E-03 

(1:190) 

Micrometeoroid and Orbital Debris (MMOD) strikes Orbiter on orbit 
leading to LOCV on orbit or entry 

None 

3 

12.2 

71.5 

3.4E-03 

(1:290) 

Space Shuttle Main Engine (SSME)-induced SSME catastrophic failure 

None 

4 

2.9 

74.4 

8.2E-04 

(1:1200) 

Crew error during entry 

None 

5 

2.7 

77.1 

7.6E-04 

(1:1300) 

Orbiter flight software error results in catastrophic failure during ascent 

None 

6 

2.3 

79.5 

6.5E-04 

(1:1500) 

Reusable Solid Rocket Motor (RSRM)-induced RSRM catastrophic failure 

None 

7 

1.6 

81.1 

4.5E-04 

(1:2200) 

Fuel supply failure to the OMS during orbit 

4^1:41000 

8 

1.3 

82.4 

3.7E-04 

(1:2700) 

Debonding of TPS during ascent 

None 

9 

1.2 

83.6 

3.4E-04 

(1:2900) 

Orbiter APU Shaft Seal Fracture Entry 

None 

10 

0.8 

84.5 

2.3E-04 

(1:4300) 

SRB booster separation motor debris strikes Orbiter windows 

None 


• Ascent Debris risk significantly drops due to lower likelihood of having damage >100, post STS-27. 

• QMS fuel supply risk decreases slightly due to He Regulator changes 
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Space Shuttle Safety and Mission Assurance Office 

NASA Johnson Space Center, Houston, Texas 

STS-49 RESULTS 


(5 th 1:60, Mean 1:37. 95 th 1:23) 



Rank 

%of 

Total 

Cumulative 

Total 

Probability 

(1/n) 

Description 

Delta Risk 
from STS-29 

1 

41.4 

41.4 

1.1E-02 

(1:89) 

Ascent debris strikes Orbiter Thermal Protection System (TPS) leading to 
LOCV on orbit or entry 

None 

2 

19.7 

61.1 

5.3E-03 

(1:190) 

Micrometeoroid and Orbital Debris (MMOD) strikes Orbiter on orbit 
leading to LOCV on orbit or entry 

None 

3 

12.5 

73.6 

3.4E-03 

(1:290) 

Space Shuttle Main Engine (SSME)-induced SSME uncontained failure 

None 

4 

3.0 

76.6 

8.2E-04 

(1:1200) 

Crew error during entry 

None 

5 

2.4 

79.0 

6.5E-04 

(1:1500) 

Reusable Solid Rocket Motor (RSRM)-induced RSRM catastrophic failure 

None 

6 

1.8 

80.9 

5.0E-04 

(1:2000) 

Orbiter flight software error results in catastrophic failure during ascent 

4,1:3900 

7 

1.7 

82.5 

4.5E-04 

(1:2200) 

Fuel supply failure to the OMS during orbit 

None 

8 

1.4 

83.9 

3.7E-04 

(1:2700) 

Debonding of TPS during ascent 

None 

9 

0.9 

84.7 

2.3E-04 

(1:4300) 

SRB booster separation motor debris strikes Orbiter windows 

None 

10 

0.7 

85.4 

1.8E-04 

(1:5500) 

Mechanisms failure 

None 


• Risk is very similar to STS-29 with a risk reduction in Orbiter flight software (01-21 vs. OI-8B) 
and Risk reductions due to IAPU 
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Space Shuttle Safety and Mission Assurance Office 

NASA Johnson Space Center, Houston, Texas 

STS-77 RESULTS 


(5 th 1:62, Mean 1:38. 95 th 1:24) 



Rank 

%of 

Total 

Cumulative 

Total 

Probability 

(1/n) 

Description 

Delta Risk 
from STS-49 

1 

42.8 

42.8 

1.1E-02 

(1:89) 

Ascent debris strikes Orbiter Thermal Protection System (TPS) leading 
to LOCV on orbit or entry 

None 

2 

20.4 

63.2 

5.3E-03 

(1:190) 

Micrometeoroid and Orbital Debris (MMOD) strikes Orbiter on orbit 
leading to LOCV on orbit or entry 

None 

3 

10.2 

73.4 

2.7E-03 

(1:380) 

Space Shuttle Main Engine (SSME)-induced SSME uncontained failure 

4/1:1400 

4 

3.1 

76.6 

8.2E-04 

(1:1200) 

Crew error during entry 

None 

5 

2.5 

79.1 

6.5E-04 

(1:1500) 

Reusable Solid Rocket Motor (RSRM)-induced RSRM catastrophic 
failure 

None 

6 

1.7 

80.8 

4.5E-04 

(1:2200) 

Fuel supply failure to the OMS during orbit 

None 

7 

1.5 

82.2 

3.8E-04 

(1:2600) 

Orbiter flight software error results in catastrophic failure during 
ascent 

4/1:8500 

8 

1.4 

83.7 

3.7E-04 

(1:2700) 

Debonding of TPS during ascent 

None 

9 

0.9 

84.5 

2.3E-04 

(1:4300) 

SRB booster separation motor debris strikes Orbiter windows 

None 

10 

0.7 

85.2 

1.8E-04 

(1:5500) 

Mechanisms failure 

None 


• SSME risk reduction due to Block I and IA vs. Phase II engine 

• Risk reduction in Orbiter flight software (01-24 vs. 01-21) 
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Space Shuttle Safety and Mission Assurance Office 

NASA Johnson Space Center, Houston, Texas 

STS-86 RESULTS 


(5 th 1:44, Mean 1:21. 95 th 1:11) 



Rank 

%of 

Total 

Cumulative 

Total 

Probability 

(1/n) 

Description 

Delta Risk 
from STS-77 

1 

70.8 

70.8 

3.4E-02 

(1:30) 

Ascent debris strikes Orbiter Thermal Protection System (TPS) leading 
to LOCV on orbit or entry 

^1:44 

2 

11.1 

81.9 

5.3E-03 

(1:190) 

Micrometeoroid and Orbital Debris (MMOD) strikes Orbiter on orbit 
leading to LOCV on orbit or entry 

None 

3 

5.6 

87.5 

2.7E-03 

(1:380) 

Space Shuttle Main Engine (SSME)-induced SSME uncontained failure 

None 

4 

1.7 

89.2 

8.2E-04 

(1:1200) 

Crew error during entry 

None 

5 

1.4 

90.6 

6.5E-04 

(1:1500) 

Reusable Solid Rocket Motor (RSRM)-induced RSRM catastrophic 
failure 

None 

6 

0.9 

91.5 

4.5E-04 

(1:2200) 

Fuel supply failure to the OMS during orbit 

None 

7 

0.8 

92.3 

3.7E-04 

(1:2700) 

Debonding of TPS during ascent 

None 

8 

0.7 

92.9 

3.2E-04 

(1:3100) 

Orbiter flight software error results in catastrophic failure during 
ascent 

1:15000 

9 

0.5 

93.4 

2.3E-04 

(1:4300) 

SRB booster separation motor debris strikes Orbiter windows 

None 

10 

0.4 

93.8 

1.9E-04 

(1:5400) 

SSME-induced benign shutdown of the SSME 

^1:22000 


• Ascent Debris risk increase due to revised ET foam application process 

• SSME shutdown risk increase due to Ascent Debris risk increase 


• Risk reduction in Orbiter flight software (01-26 vs. 01-24) 
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NASA Johnson Space Center, Houston, Texas 

STS-89 RESULTS 


(5 th 1:46, Mean 1:21. 95 th 1:11) 



Rank 

%of 

Total 

Cumulative 

Total 

Probability 

(1/n) 

Description 

Delta Risk 
from STS-86 

1 

72.6 

72.6 

3.4E-02 

(1:30) 

Ascent debris strikes Orbiter Thermal Protection System (TPS) leading to 
LOCV on orbit or entry 

None 

2 

11.4 

84.0 

5.3E-03 

(1:190) 

Micrometeoroid and Orbital Debris (MMOD) strikes Orbiter on orbit 
leading to LOCV on orbit or entry 

None 

3 

3.1 

87.2 

1.5E-03 

(1:680) 

Space Shuttle Main Engine (SSME)-induced SSME catastrophic failure 

4,1:840 

4 

1.8 

88.9 

8.2E-04 

(1:1200) 

Crew error during entry 

None 

5 

1.4 

90.3 

6.5E-04 

(1:1500) 

Reusable Solid Rocket Motor (RSRM)-induced RSRM catastrophic failure 

None 

6 

1.0 

91.3 

4.5E-04 

(1:2200) 

Fuel supply failure to the OMS during orbit 

None 

7 

0.8 

92.1 

3.7E-04 

(1:2700) 

Debonding of TPS during ascent 

None 

8 

0.7 

92.8 

3.2E-04 

(1:3100) 

Orbiter flight software error results in catastrophic failure during ascent 

None 

9 

0.5 

93.2 

2.3E-04 

(1:4300) 

SRB booster separation motor debris strikes Orbiter windows 

None 

10 

0.4 

93.6 

1.8E-04 

(1:5500) 

Mechanisms failure 

None 


• SSME risk reduction due to Block IIA vs. Block I engine 


6/24/2011 


60 



SPACE SHUTTLE PROGRAM 

Space Shuttle Safety and Mission Assurance Office 
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STS-103 RESULTS 


(5 th 1:74, Mean 1:47. 95 th 


1:31) 



Rank 

% of 
Total 

Cumulative 

Total 

Probability 

(1/n) 

Description 

Delta Risk 
from STS-89 

1 

37.3 

37.3 

7.9E-03 

(1:130) 

Ascent debris strikes Orbiter Thermal Protection System (TPS) leading to 
LOCV on orbit or entry 

4,1:38 

2 

25.2 

62.5 

5.3E-03 

(1:190) 

Micrometeoroid and Orbital Debris (MMOD) strikes Orbiter on orbit 
leading to LOCV on orbit or entry 

None 

3 

6.9 

69.5 

1.5E-03 

(1:680) 

Space Shuttle Main Engine (SSME)-induced SSME catastrophic failure 

None 

4 

3.9 

73.3 

8.2E-04 

(1:1200) 

Crew error during entry 

None 

5 

3.1 

76.4 

6.5E-04 

(1:1500) 

Reusable Solid Rocket Motor (RSRM)-induced RSRM catastrophic failure 

None 

6 

2.1 

78.6 

4.5E-04 

(1:2200) 

Fuel supply failure to the OMS during orbit 

None 

7 

1.7 

80.3 

3.7E-04 

(1:2700) 

Debonding of TPS during ascent 

None 

8 

1.4 

81.7 

3.0E-04 

(1:3400) 

Orbiter flight software error results in catastrophic failure during ascent 

1:48000 

9 

1.1 

82.8 

2.3E-04 

(1:4300) 

SRB booster separation motor debris strikes Orbiter windows 

None 

10 

0.9 

83.7 

1.8E-04 

(1:5500) 

Mechanisms failure 

None 


• Ascent Debris risk significantly decreases due to ET foam venting holes on STS-103 

• Risk reduction in Orbiter flight software (01-26 vs. OI-26B) 
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Space Shuttle Safety and Mission Assurance Office 

NASA Johnson Space Center, Houston, Texas 

STS-110 RESULTS 


(5 th 1:74, Mean 1:47. 95 th 1:31) 



Rank 

%of 

Total 

Cumulative 

Total 

Probability 

(1/n) 

Description 

Delta Risk 
from STS-103 

1 

37.4 

37.4 

7.9E-03 

(1:130) 

Ascent debris strikes Orbiter Thermal Protection System (TPS) leading to 
LOCV on orbit or entry 

None 

2 

25.3 

62.7 

5.3E-03 

(1:190) 

Micrometeoroid and Orbital Debris (MMOD) strikes Orbiter on orbit 
leading to LOCV on orbit or entry 

None 

3 

7.8 

70.5 

1.6E-03 

(1:610) 

Space Shuttle Main Engine (SSME)-induced SSME catastrophic failure 

^1:5600 

4 

3.9 

74.4 

8.2E-04 

(1:1200) 

Crew error during entry 

None 

5 

3.1 

77.5 

6.5E-04 

(1:1500) 

Reusable Solid Rocket Motor (RSRM)-induced RSRM catastrophic failure 

None 

6 

2.1 

79.6 

4.5E-04 

(1:2200) 

Fuel supply failure to the OMS 

None 

7 

1.7 

81.3 

3.7E-04 

(1:2700) 

Debonding of TPS during ascent 

None 

8 

1.2 

82.6 

2.6E-04 

(1:3800) 

Orbiter flight software error results in catastrophic failure during ascent 

4,1:27000 

9 

0.9 

83.4 

1.8E-04 

(1:5500) 

Mechanisms failure 

None 

10 

0.8 

84.3 

1.8E-04 

(1:5600) 

Ammonia Boiler System (ABS) isolation valve leaks on Orbit overcooling 
the H20 loops and crew is unable to prevent rupture of the interchanger 
resulting in Loss of All Cooling 

None 


• SSME risk increases due to engine re-design (Block II vs. Block IIA engine) 


- There were three early HPFTP-AT related failures. Although heavily discounted due to improvements, risk still increases. 

• Risk reduction in Orbiter flight software (01-29 vs. 01-26) 
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NASA Johnson Space Center, Houston, Texas 

STS-114 RESULTS 


(5 th 1:100. Mean 1:73. 95 th 1:52) 



Rank 

%of 

Total 

Cumulative 

Total 

Probability 

(1/n) 

Description 

Delta Risk 
from STS-110 

1 

37.3 

37.3 

5.1E-03 

(1:200) 

Micrometeoroid and Orbital Debris (MMOD) strikes Orbiter on orbit 
leading to LOCV on orbit or entry 

4,1:4700 

2 

12.1 

49.4 

1.7E-03 

(1:600) 

Ascent debris strikes Orbiter Thermal Protection System (TPS) leading to 
LOCV on orbit or entry 

4,1:160 

3 

12.0 

61.4 

1.6E-03 

(1:610) 

Space Shuttle Main Engine (SSME)-induced SSME catastrophic failure 

None 

4 

6.0 

67.3 

8.2E-04 

(1:1200) 

Crew error during entry 

None 

5 

4.8 

72.1 

6.5E-04 

(1:1500) 

Reusable Solid Rocket Motor (RSRM)-induced RSRM catastrophic failure 

None 

6 

1.6 

73.8 

2.3E-04 

(1:4400) 

Orbiter flight software error results in catastrophic failure during ascent 

4,1:29000 

7 

1.3 

75.1 

1.8E-04 

(1:5600) 

Ammonia Boiler System (ABS) isolation valve leaks on Orbit overcooling 
the H20 loops and crew is unable to prevent rupture of the interchanger 
resulting in Loss of All Cooling 

None 

8 

1.2 

76.3 

1.7E-04 

(1:5900) 

Solid Rocket Booster (SRB) APU shaft seal fracture 

None 

9 

1.1 

77.4 

1.5E-04 

(1:6500) 

SRB booster separation motor debris strikes Orbiter windows 

None 

10 

1.0 

78.4 

1.3E-04 

(1:7600) 

Flow Control Valve (FCV) poppet failure causes rupture in the GH2 re- 
pressurization line 

None 


• Ascent Debris risk significantly drops due to inspection with repair and crew rescue. No 
credit given to reduced environment. 


• MMOD risk slightly decreases due to FD2 inspection (no late inspection) 
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STS-133 RESULTS (ITERATION 3.3 with updated SSME) 

(5 th 1:130, Mean 1:90. 95 th 1:63) 



Rank 

%of 

Total 

Cumulative 

Total 

Probability 

(1/n) 

Description 

Delta Risk 
from STS-114 

1 

29.6 

29.6 

3.3E-03 

(1:300) 

Micrometeoroid and Orbital Debris (MMOD) strikes Orbiter on orbit 
leading to LOCV on orbit or entry 

4/1:550 

2 

13.7 

43.3 

1.5E-03 

(1:650) 

Space Shuttle Main Engine (SSME)-induced SSME catastrophic failure 

4/1:8500 

3 

9.6 

52.9 

1.1E-03 

(1:940) 

Ascent debris strikes Orbiter Thermal Protection System (TPS) leading to 
LOCV on orbit or entry 

4/1:1700 

4 

7.4 

60.3 

8.2E-04 

(1:1200) 

Crew error during entry 

None 

5 

5.9 

66.1 

6.5E-04 

(1:1500) 

Reusable Solid Rocket Motor (RSRM)-induced RSRM catastrophic failure 

None 

6 

2.0 

68.2 

2.3E-04 

(1:4400) 

Flight Software error result in catastrophic failure during ascent 

None 

7 

1.6 

69.8 

1.8E-04 

(1:5600) 

Ammonia Boiler System (ABS) isolation valve leaks on Orbit overcooling 
the H20 loops and crew is unable to prevent rupture of the interchanger 
resulting in Loss of All Cooling 

None 

8 

1.5 

71.3 

1.7E-04 

(1:5900) 

Solid Rocket Booster (SRB) APU shaft seal fracture 

None 

9 

1.2 

72.5 

1.3E-04 

(1:7600) 

Flow Control Valve (FCV) poppet failure causes rupture in the G H2 re- 
pressurization line 

None 

10 

1.2 

73.6 

1.3E-04 

(1:7700) 

Collision of the Orbiter with the International Space Station (ISS) during 
rendezvous and docking 

None 


MMOD risk decreases due to late inspection 


Ascent Debris risk decrease due to reduced debris environment and improved repair 


• SSME risk decreases due to AHMS 
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Space Shuttle Safety and Mission Assurance Office 

NASA Johnson Space Center, Houston, Texas 


DATA DEVELOPMENT 



• RSRM 

- Reusable Solid Rocket Motor (SRM) risk based upon 1 LOCV in 25 missions prior to Challenger and 
based upon iteration 3.3 for the remaining missions 

• Functional Data 


- A modified version of the SPRA functional database was created which enables the user 
to select a particular flight and the failure rate/probability will be updated to be used in 
the SAPHIRE input file (.bei file) 

• All Bayesian updated data was reviewed and discounts taken for design changes were 
evaluated for when they were implemented and separate failure rates/probabilities were 
calculated based upon removing the discounts 

- For example Orbiter Auxiliary Power Unit (APU) failure to run is automatically assigned a failure rate of 
4.36E-3/hr if STS-1 is selected and 1.76E-3/hr if STS-133 is selected because of failures on STS-7 and STS- 
71 which had design changes implemented by STS-133. 

• Unique data events such as tires and icicles forming during water dumps were evaluated 
separately and flight effectivities were assigned 

• Phenomenological Data 

- Discounts were removed based upon when design changes were implemented and 
Shuttle Phenomenological Leak Analysis Tool (SPLAT) was used to calculate update 
results 

• Since SPLAT takes some time to run only evaluated specific missions of interest 

• For example the probability of Orbiter APU High Pressure Hydrazine leakage for STS-1 is 3.6E- 
03/mission and for STS-133 it is 1.64E-04/mission 
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SPACE SHUTTLE PROGRAM 

Space Shuttle Safety and Mission Assurance Office 

NASA Johnson Space Center, Houston, Texas 

DATA DEVELOPMENT (2) 



• Space Shuttle Main Engine (SSME) Uncontained Data 

• First Manned Orbital Flight (FMOF), STS-1 through STS-5 

• Partial failure discount given for FMOF engines operating at much lower rated power level (RPL) than tests failures, fleet 
leaders ground test failure and chance of material defects on flight engines 

• Full Power Level (FPL), STS-6 to STS-41B 

• Most of the engine failures occurred prior and during FPL flight were addressed by STS-41B 

• Minimal discounts applied to high pressure turbopump bearing sub synchronous vibration based on understanding of the 
failure mode, and that the redesign is not implemented until Phase II 

• Full Power Level (FPL), STS-41B through STS-5 1L 

• Slight improvement in risk due to the addition of HPFTP coolant liner pressure redline on STS-41C, and life limits on HPFTP first 
stage impeller 

• Phase II, STS-26 through STS-76 plus STS-94 

• Risk significantly reduced due to the redesign HPFTP coolant liner seals, HPFTP first stage impeller manufacturing changes, and 
life limits on MCC and nozzle 

• STS-94 is considered Phase II even though it has one Block IA 

• Block I, STS-77through STS-88 

• Included risks for Block IA configuration, and a handful of Phase II engines flights 

• Risk is reduced due to the introduction of HPOTP-AT, and the only applicable HPOTP-AT failure was corrected by first Block I 
flight 

• Additional risk reduction from HPOTP-AT hardware robustness factor was mistakenly left out, but the difference is not 
significant 

• Block IIA, STS-89 to STS-109 

• Significant risk reduction due to the incorporation of the Large Throat Main Combustion Chamber (LTMCC) and associated Block II 
environment factor for reduced harsh operating environment introduced by LTMCC 

• Additional risk reduction from HPFTP-AT hardware robustness factor was mistakenly left out, but the difference is not significant 

• Block II w/o Advanced Health Management System (AHMS), STS-110 to STS-118 

• Slight increase in risk over Block IIA engine due to addition of three early HPFTP-AT related failures that were heavily 
discounted 


• Block II w/ AHMS, STS-118 to Today 
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@f 

• Space Shuttle Main Engine (SSME) Safe Shutdown Data 

• First Manned Orbital Flight (FMOF), STS-1 through STS-5 

• Corrective actions for two failures were implemented by STS-1 

• Partial failure discount given for FMOF engines operating at 100% rated power level ( RPL) where the failures happened at 
higher RPL or chance of material defects on flight engines 

• Other future failures were not discounted if they were deemed possible 

• Full Power Level (FPL), STS-6 to STS-41B 

• Partial failure discount given for portion of the FPL engines that did not get redesign and corrective actions, and failure 
occurring at much higher ground tests power level 

• Full Power Level (FPL), STS-41B through STS-5 1L 

• Majority of the SSME safe shutdown occurred and corrective action completed prior to STS-51L 

• STS-51F temp sensor failure and flowmeter parameter loading error were not discounted 

• Phase II, STS-26 through STS-76 plus STS-94 

• Majority of the SSME safe shutdown occurred and corrective action implemented by phase II engine 

• Block I, STS-77through STS-88 

• Included risks for Block IA configuration, and a handful of full cluster Phase II engines flights 

• Risk is reduced due to introduction of HPOTP-AT, 

• Additional risk reduction from HPOTP-AT hardware robustness factor was mistakenly left out, but the difference is not 
significant 

• Block IIA, STS-89 to STS-109 

• Significant risk reduction due to the incorporation of the Large Throat Main Combustion Chamber (LTMCC) and associated Block II 
environment factor for reduced harsh environment introduced by LTMCC 

• There were no applicable HPFTP-AT or HPOTP-AT failures counted against Block I through Block II without AHMS engines 

• Additional risk reduction from HPFTP-AT hardware robustness factor was mistakenly left out, but the difference is not significant 

• Block II w/o Advanced Health Management System (AHMS), STS-110 to STS-118 

• No change in risk from Block IIA due to no applicable failures 

• Block II w/ AHMS, STS-118 to Today 

• Two of the HPFTP-AT uncontained failures that could be caught by AHMS were transfer to safe shutdown category 
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DATA DEVELOPMENT (3) 
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DATA DEVELOPMENT (4) 



• Ascent Debris 

- Tile risk is based upon Orbiter damages and uses the ADAM model and RCC risk is based upon flight 
history using engineering judgment to adjust with the changing environment. The chart on the next 
pages provides additional detail on how the RCC risk is adjusted. 

• Inspection 

- Prior to STS-114 no inspection 

- STS-114 FD2 inspection but no late inspection 

- Post STS-114 FD2 and late inspection 

• Repair 

- Prior to STS-114 no repair 

- STS-114 limited repair capability with large uncertainties (SPRA iteration 2.2 values) 

- Post STS-114 repair capability the same as iteration 3.3 
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DATA DEVELOPMENT ASCENT DEBRIS RISK 


ADAM RESULTS BY MISISON 


0.03 


0.025 
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0.015 


0.01 
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1:64 


Pre-RTF value of 1:241 which is documented in iteration 3.2. 
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RCC RESULTS BY MISISON 
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Note: average of 1:120 is consistent with previously calculated 
Pre-RTF value of 1:126 which is documented in iteration 3.2. 
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RCC is 
assumed 
to have 
the same 
ratio to 
average 
risk as tile 
with the 
average 
RCC risk 
calculated 
by using a 
Jeffreys 
prior 
Bayesian 
updated 
with 1 in 
113 
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ORBITER LOWER SURFACE DAMAGES ARRANGED 

BY ET START DATE 



Black indicates LWT 
Red indicates SLWT 
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Debris Hits by ET Start Date 


Mission 88, STS-87, ET-89 was the first 

mission with new foam on intertank 


Mission 87, STS-86, ET-88 was the first mission 
with new foam on tank'sacreage 


Mission 96, STS-103, ET-101 was the first 
mission with venting holes on ET TPS 


LWT ET-93 used on STS- 107 
(Columbia accident) goes here: 
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Prior to ET-88 (STS-86) the average number of hits to the lower surface >1 inch was —13, from ET-88 to ET-100 
(STS-96) the average is ~45. Once the ET is vent the averages drops back down to ~16. 

There does not appear to be a significant difference between LWT and SLWT with regard to lower surface 
damages 

- Graph starts at ET-62 because ET start date was unavailable prior to ET-62, however damage trend is similar prior to ET- 
62 and post return to flight after Challenger (with the exception of STS-27 which had significant damage due to SRB 
nose cap TPS debris) 
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ORBITER LOWER SURFACE DAMAGES ARRANGED BY ET 

NUMBER 




Black indicates LWTRed indicates SLWT 
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Mission 88, STS-87, ET-89 was the first 
mission with newfoam on intertank 


Mission 87, STS -86, ET-88 was the 
first mission with newfoam on 
tank'sacreage 



LWT ET-93 used on STS- 107 (Columbia 
accident) goeshere: 


ET-101 was the first mission with 
venting holes on ETTPS 
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• Ordering by ET number starting with ET-27 shows a similar trend to the previous 
chart with no apparent significant difference between LWT and SLWT with regard 
to lower surface damages 
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STS-1 ORBITER HARDWARE/SOFTWARE RESULTS 
(5 th 1:120, Mean 1:69, 95 th 1:42) 



Rank 

% of Total 

Cumulative 

Total 

Probability 

(1/n) 

Description 

1 

3.7 

3.7 

3.1E-03 

(1:320) 

Orbiter APU Shaft Seal Fracture Entry and ejection seats fail to save the crew 

2 

2.9 

6.6 

2.4E-03 

(1:380) 

Auxiliary Power Unit (APU) external leak on entry and ejection seats fail to save 
the crew 

3 

2.0 

8.6 

1.7E-03 

(1:600) 

Orbiter flight software error results in catastrophic failure during ascent 

4 

1.1 

9.7 

9.0E-04 

(1:1100) 

APU external leak on ascent 

5 

1.1 

10.8 

8.8E-04 

(1:1100) 

Orbiter APU Shaft Seal Fracture Ascent 

6 

0.6 

11.4 

4.7E-04 

(1:2100) 

Fuel supply failure to the OMS during orbit and crew rescue fails 

7 

0.5 

11.9 

4.1E-04 

(1:2400) 

Orbiter flight software error results in catastrophic failure during entry 

8 

0.4 

12.3 

3.7E-04 

(1:2700) 

Debonding of TPS during ascent 

9 

0.4 

12.7 

3.6E-04 

(1:2800) 

Common cause failure of the Data Processing System (DPS) on orbit 

10 

0.3 

13.0 

2.9E-04 

(1:3500) 

Control or mechanical failure causes Main Propulsion System (MPS) prevalves 
to fail to close 
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STS-5 ORBITER HARDWARE/SOFTWARE RESULTS 
(5 th 1:120, Mean 1:76, 95 th 1:42) 



Rank 

% of Total 

Cumulative 

Total 

Probability 

(1/n) 

Description 

1 

2.5 

2.5 

2.6E-03 

(1:380) 

Auxiliary Power Unit (APU) external leak on entry 

2 

1.7 

4.2 

1.8E-03 

(1:560) 

Orbiter flight software error results in catastrophic failure during ascent 

3 

1.6 

5.8 

1.7E-03 

(1:590) 

Orbiter APU Shaft Seal Fracture Entry 

4 

0.9 

6.7 

9.8E-04 

(1:1000) 

APU external leak on ascent 

5 

0.5 

7.2 

4.8E-04 

(1:2100) 

Orbiter APU Shaft Seal Fracture Ascent 

6 

0.5 

7.7 

4.7E-04 

(1:2100) 

Fuel supply failure to the OMS during orbit 

7 

0.4 

8.1 

4.5E-04 

(1:2200) 

Orbiter flight software error results in catastrophic failure during entry 

8 

0.4 

8.5 

3.7E-04 

(1:2700) 

Debonding of TPS during ascent 

9 

0.3 

8.8 

3.6E-04 

(1:2800) 

Common cause failure of the Data Processing System (DPS) on orbit 

10 

0.3 

9.1 

2.9E-04 

(1:3500) 

Control or mechanical failure causes Main Propulsion System (MPS) prevalves 
to fail to close 
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STS-41B ORBITER HARDWARE/SOFTWARE RESULTS 
(5 th 1:180, Mean 1:110, 95 th 1:67) 



Rank 

% of Total 

Cumulative 

Total 

Probability 

(1/n) 

Description 

1 

1.7 

1.7 

1.7E-03 

(1:590) 

Orbiter APU Shaft Seal Fracture Entry 

2 

1.6 

3.3 

1.7E-03 

(1:600) 

Orbiter flight software error results in catastrophic failure during ascent 

3 

0.5 

3.8 

4.8E-04 

(1:2100) 

Orbiter APU Shaft Seal Fracture Ascent 

4 

0.5 

4.3 

4.7E-04 

(1:2100) 

Fuel supply failure to the OMS during orbit 

5 

0.4 

4.7 

4.2E-04 

(1:2400) 

Orbiter flight software error results in catastrophic failure during entry 

6 

0.4 

5.1 

3.7E-04 

(1:2700) 

Debonding of TPS during ascent 

7 

0.2 

5.3 

1.9E-04 

(1:5200) 

Common cause failure of the Data Processing System (DPS) on orbit 

8 

0.2 

5.5 

1.9E-04 

(1:5300) 

Mechanisms failure 

9 

0.2 

5.7 

1.8E-04 

(1:5600) 

Ammonia Boiler System (ABS) isolation valve leaks on Orbit overcooling the H20 
loops and crew is unable to prevent rupture of the interchanger resulting in 
Loss of All Cooling 

10 

0.2 

5.9 

1.7E-04 

(1:6000) 

Flight Software error result in catastrophic failure during orbit 
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STS-51L ORBITER HARDWARE/SOFTWARE RESULTS 
(5 th 1:240, Mean 1:160, 95 th 1:110) 



Rank 

% of Total 

Cumulative 

Total 

Probability 

(1/n) 

Description 

1 

1.1 

1.1 

1.1E-03 

(1:950) 

Orbiter flight software error results in catastrophic failure during ascent 

2 

0.5 

1.6 

4.7E-04 

(1:2100) 

Fuel supply failure to the OMS during orbit 

3 

0.4 

2.0 

3.7E-04 

(1:2700) 

Debonding of TPS during ascent 

4 

0.3 

2.3 

3.4E-04 

(1:2900) 

Orbiter APU Shaft Seal Fracture Entry 

5 

0.3 

2.6 

2.6E-04 

(1:3800) 

Orbiter flight software error results in catastrophic failure during entry 

6 

0.2 

2.8 

1.9E-04 

(1:5200) 

Common cause failure of the Data Processing System (DPS) on orbit 

7 

0.2 

3.0 

1.8E-04 

(1:5500) 

Mechanisms failure 

8 

0.2 

3.2 

1.8E-04 

(1:5600) 

Ammonia Boiler System (ABS) isolation valve leaks on Orbit overcooling the H20 
loops and crew is unable to prevent rupture of the interchanger resulting in 
Loss of All Cooling 

9 

0.2 

3.4 

1.6E-04 

(1:6300) 

Flight control surface (elevons, rudder, body flap) actuators fail/jam during 
entry 

10 

0.1 

3.5 

1.4E-04 

(1:6900) 

Common cause failure of the APU System on entry 
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STS-26 ORBITER HARDWARE/SOFTWARE RESULTS 
(5 th 1:250, Mean 1:170, 95 th 1:110) 



Rank 

% of Total 

Cumulative 

Total 

Probability 

(1/n) 

Description 

1 

1.3 

1.3 

7.5E-04 

(1:1300) 

Orbiter flight software error results in catastrophic failure during ascent 

2 

0.8 

2.1 

4.7E-04 

(1:2100) 

Fuel supply failure to the OMS during orbit and crew rescue fails 

3 

0.6 

2.7 

3.7E-04 

(1:2700) 

Debonding of TPS during ascent 

4 

0.6 

3.3 

3.4E-04 

(1:2900) 

Orbiter APU Shaft Seal Fracture Entry 

5 

0.3 

3.6 

1.9E-04 

(1:5200) 

Common cause failure of the Data Processing System (DPS) on orbit 

6 

0.3 

3.9 

1.9E-04 

(1:5300) 

Orbiter flight software error results in catastrophic failure during entry 

7 

0.3 

4.2 

1.8E-04 

(1:5500) 

Mechanisms failure and subsequent failure of a crew rescue attempt 

8 

0.3 

4.5 

1.8E-04 

(1:5600) 

Ammonia Boiler System (ABS) isolation valve leaks on Orbit overcooling the H20 
loops and crew is unable to prevent rupture of the interchanger resulting in 
Loss of All Cooling 

9 

0.3 

4.8 

1.6E-04 

(1:6300) 

Flight control surface (elevons, rudder, body flap) actuators fail/jam during 
entry 

10 

0.2 

5.0 

1.4E-04 

(1:6900) 

Common cause failure of the APU System on entry 
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STS-29 ORBITER HARDWARE/SOFTWARE RESULTS 
(5 th 1:270, Mean 1:180, 95 th 1:120) 



Rank 

% of Total 

Cumulative 

Total 

Probability 

(1/n) 

Description 

1 

2.7 

2.7 

7.6E-04 

(1:1300) 

Orbiter flight software error results in catastrophic failure during ascent 

2 

1.6 

4.3 

4.5E-04 

(1:2200) 

Fuel supply failure to the OMS during orbit and crew rescue fails 

3 

1.3 

5.6 

3.7E-04 

(1:2700) 

Debonding of TPS during ascent 

4 

1.2 

6.8 

3.4E-04 

(1:2900) 

Orbiter APU Shaft Seal Fracture Entry 

5 

0.7 

7.5 

1.9E-04 

(1:5200) 

Common cause failure of the Data Processing System (DPS) on orbit 

6 

0.7 

8.2 

1.9E-04 

(1:5300) 

Orbiter flight software error results in catastrophic failure during entry 

7 

0.7 

8.9 

1.8E-04 

(1:5500) 

Mechanisms failure and subsequent failure of a crew rescue attempt 

8 

0.6 

9.5 

1.8E-04 

(1:5600) 

Ammonia Boiler System (ABS) isolation valve leaks on Orbit overcooling the H20 
loops and crew is unable to prevent rupture of the interchanger resulting in 
Loss of All Cooling 

9 

0.6 

10.1 

1.6E-04 

(1:6300) 

Flight control surface (elevons, rudder, body flap) actuators fail/jam during 
entry 

10 

0.5 

10.6 

1.4E-04 

(1:6900) 

Common cause failure of the APU System on entry 
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STS-49 ORBITER HARDWARE/SOFTWARE RESULTS 
(5 th 1:320, Mean 1:210, 95 th 1:140) 



Rank 

% of Total 

Cumulative 

Total 

Probability 

(1/n) 

Description 

1 

1.8 

1.8 

5.0E-04 

(1:2000) 

Orbiter flight software error results in catastrophic failure during ascent 

2 

1.6 

3.4 

4.5E-04 

(1:2200) 

Fuel supply failure to the OMS during orbit and crew rescue fails 

3 

1.3 

4.7 

3.7E-04 

(1:2700) 

Debonding of TPS during ascent 

4 

0.7 

5.4 

1.8E-04 

(1:5500) 

Mechanisms failure and subsequent failure of a crew rescue attempt 

5 

0.6 

6.0 

1.8E-04 

(1:5600) 

Ammonia Boiler System (ABS) isolation valve leaks on Orbit overcooling the H20 
loops and crew is unable to prevent rupture of the interchanger resulting in 
Loss of All Cooling 

6 

0.6 

6.6 

1.6E-04 

(1:6300) 

Flight control surface (elevons, rudder, body flap) actuators fail/jam during 
entry 

7 

0.6 

7.2 

1.6E-04 

(1:6300) 

Common cause failure of the Data Processing System (DPS) on orbit 

8 

0.5 

7.7 

1.4E-04 

(1:6900) 

Common cause failure of the APU System on entry 

9 

0.5 

8.2 

1.3E-04 

(1:7400) 

Auxiliary Power Unit (APU) external leak on entry 

10 

0.5 

8.7 

1.3E-04 

(1:7600) 

Flow Control Valve (FCV) poppet failure causes rupture in the GH2 re- 
pressurization line 
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STS-77 ORBITER HARDWARE/SOFTWARE RESULTS 
(5 th 1:330, Mean 1:220, 95 th 1:140) 



Rank 

% of Total 

Cumulative 

Total 

Probability 

(1/n) 

Description 

1 

1.7 

1.7 

4.5E-04 

(1:2200) 

Fuel supply failure to the OMS during orbit and crew rescue fails 

2 

1.5 

3.2 

3.8E-04 

(1:2600) 

Orbiter flight software error results in catastrophic failure during ascent 

3 

1.4 

4.6 

3.7E-04 

(1:2700) 

Debonding of TPS during ascent 

4 

0.7 

5.3 

1.8E-04 

(1:5500) 

Mechanisms failure and subsequent failure of a crew rescue attempt 

5 

0.7 

6.0 

1.8E-04 

(1:5600) 

Ammonia Boiler System (ABS) isolation valve leaks on Orbit overcooling the H20 
loops and crew is unable to prevent rupture of the interchanger resulting in 
Loss of All Cooling 

6 

0.6 

6.6 

1.6E-04 

(1:6300) 

Flight control surface (elevons, rudder, body flap) actuators fail/jam during 
entry 

7 

0.6 

7.2 

1.6E-04 

(1:6300) 

Common cause failure of the Data Processing System (DPS) on orbit 

8 

0.5 

7.7 

1.3E-04 

(1:7400) 

Auxiliary Power Unit (APU) external leak on entry 

9 

0.5 

8.2 

1.3E-04 

(1:7600) 

Flow Control Valve (FCV) poppet failure causes rupture in the G H2 re- 
pressurization line 

10 

0.5 

8.7 

1.3E-04 

(1:7600) 

RCS thruster fail leak or off on orbit 
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STS-86 ORBITER HARDWARE/SOFTWARE RESULTS 
(5 th 1:350, Mean 1:230, 95 th 1:150) 



Rank 

% of Total 

Cumulative 

Total 

Probability 

(1/n) 

Description 

1 

0.9 

0.9 

4.5E-04 

(1:2200) 

Fuel supply failure to the OMS during orbit and crew rescue fails 

2 

0.8 

1.7 

3.7E-04 

(1:2700) 

Debonding of TPS during ascent 

3 

0.7 

2.4 

3.2E-04 

(1:3100) 

Orbiter flight software error results in catastrophic failure during ascent 

4 

0.4 

2.8 

1.8E-04 

(1:5500) 

Mechanisms failure and subsequent failure of a crew rescue attempt 

5 

0.4 

3.2 

1.8E-04 

(1:5600) 

Ammonia Boiler System (ABS) isolation valve leaks on Orbit overcooling the H20 
loops and crew is unable to prevent rupture of the interchanger resulting in 
Loss of All Cooling 

6 

0.3 

3.5 

1.6E-04 

(1:6300) 

Flight control surface (elevons, rudder, body flap) actuators fail/jam during 
entry 

7 

0.3 

3.8 

1.6E-04 

(1:6300) 

Common cause failure of the Data Processing System (DPS) on orbit 

8 

0.3 

4.1 

1.3E-04 

(1:7400) 

Auxiliary Power Unit (APU) external leak on entry 

9 

0.3 

4.4 

1.3E-04 

(1:7600) 

Flow Control Valve (FCV) poppet failure causes rupture in the G H2 re- 
pressurization line 

10 

0.2 

4.6 

1.1E-04 

(1:8900) 

Common cause failure of the APU System on entry 
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STS-89 ORBITER HARDWARE/SOFTWARE RESULTS 
(5 th 1:370, Mean 1:240, 95 th 1:150) 



Rank 

% of Total 

Cumulative 

Total 

Probability 

(1/n) 

Description 

1 

1.0 

1.0 

4.5E-04 

(1:2200) 

Fuel supply failure to the OMS during orbit and crew rescue fails 

2 

0.8 

1.8 

3.7E-04 

(1:2700) 

Debonding of TPS during ascent 

3 

0.7 

2.5 

3.2E-04 

(1:3100) 

Orbiter flight software error results in catastrophic failure during ascent 

4 

0.4 

2.9 

1.8E-04 

(1:5500) 

Mechanisms failure and subsequent failure of a crew rescue attempt 

5 

0.4 

3.3 

1.8E-04 

(1:5600) 

Ammonia Boiler System (ABS) isolation valve leaks on Orbit overcooling the H20 
loops and crew is unable to prevent rupture of the interchanger resulting in 
Loss of All Cooling 

6 

0.3 

3.6 

1.6E-04 

(1:6300) 

Flight control surface (elevons, rudder, body flap) actuators fail/jam during 
entry 

7 

0.3 

3.9 

1.6E-04 

(1:6300) 

Common cause failure of the Data Processing System (DPS) on orbit 

8 

0.3 

4.2 

1.3E-04 

(1:7400) 

Auxiliary Power Unit (APU) external leak on entry 

9 

0.3 

4.5 

1.3E-04 

(1:7600) 

Flow Control Valve (FCV) poppet failure causes rupture in the G H2 re- 
pressurization line 

10 

0.2 

4.7 

1.1E-04 

(1:8900) 

Common cause failure of the APU System on entry 
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STS- 103 ORBITER HARDWARE/SOFTWARE RESULTS 
(5 th 1:380, Mean 1:250, 95 th 1:160) 



Rank 

% of Total 

Cumulative 

Total 

Probability 

(1/n) 

Description 

1 

2.1 

2.1 

4.5E-04 

(1:2200) 

Fuel supply failure to the OMS during orbit and crew rescue fails 

2 

1.7 

3.8 

3.7E-04 

(1:2700) 

Debonding of TPS during ascent 

3 

1.4 

5.2 

3.0E-04 

(1:3400) 

Orbiter flight software error results in catastrophic failure during ascent 

4 

0.9 

6.1 

1.8E-04 

(1:5500) 

Mechanisms failure and subsequent failure of a crew rescue attempt 

5 

0.8 

6.9 

1.8E-04 

(1:5600) 

Ammonia Boiler System (ABS) isolation valve leaks on Orbit overcooling the H20 
loops and crew is unable to prevent rupture of the interchanger resulting in 
Loss of All Cooling 

6 

0.7 

7.6 

1.6E-04 

(1:6300) 

Common cause failure of the Data Processing System (DPS) on orbit 

7 

0.7 

8.3 

1.5E-04 

(1:6800) 

Flight control surface (elevons, rudder, body flap) actuators fail/jam during 
entry 

8 

0.6 

8.9 

1.3E-04 

(1:7400) 

Auxiliary Power Unit (APU) external leak on entry 

9 

0.6 

9.5 

1.3E-04 

(1:7600) 

Flow Control Valve (FCV) poppet failure causes rupture in the G H2 re- 
pressurization line 

10 

0.5 

10.0 

1.1E-04 

(1:8900) 

Common cause failure of the APU System on entry 
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STS- 110 ORBITER HARDWARE/SOFTWARE RESULTS 
(5 th 1:400, Mean 1:250, 95 th 1:160) 



Rank 

% of Total 

Cumulative 

Total 

Probability 

(1/n) 

Description 

1 

2.1 

2.1 

4.5E-04 

(1:2200) 

Fuel supply failure to the OMS during orbit 

2 

1.7 

3.8 

3.7E-04 

(1:2700) 

Debonding of TPS during ascent 

3 

1.2 

5.0 

2.6E-04 

(1:3800) 

Orbiter flight software error results in catastrophic failure during ascent 

4 

0.9 

5.9 

1.8E-04 

(1:5500) 

Mechanisms failure 

5 

0.8 

6.7 

1.8E-04 

(1:5600) 

Ammonia Boiler System (ABS) isolation valve leaks on Orbit overcooling the H20 
loops and crew is unable to prevent rupture of the interchanger resulting in 
Loss of All Cooling 

6 

0.7 

7.4 

1.6E-04 

(1:6300) 

Common cause failure of the Data Processing System (DPS) on orbit 

7 

0.6 

8.0 

1.3E-04 

(1:7600) 

Flow Control Valve (FCV) poppet failure causes rupture in the G H2 re- 
pressurization line 

8 

0.6 

8.6 

1.3E-04 

(1:7900) 

Auxiliary Power Unit (APU) external leak on entry 

9 

0.6 

9.2 

1.2E-04 

(1:8300) 

Flight control surface (elevons, rudder, body flap) actuators fail/jam during 
entry 

10 

0.5 

9.7 

1.1E-04 

(1:8900) 

Common cause failure of the APU System on entry 
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STS- 114 ORBITER HARDWARE/SOFTWARE RESULTS 
(5 th 1:520, Mean 1:350, 95 th 1:240) 



Rank 

% of Total 

Cumulative 

Total 

Probability 

(1/n) 

Description 

1 

1.6 

1.6 

2.3E-04 

(1:4400) 

Orbiter flight software error results in catastrophic failure during ascent 

2 

1.3 

2.9 

1.8E-04 

(1:5600) 

Ammonia Boiler System (ABS) isolation valve leaks on Orbit overcooling the H20 
loops and crew is unable to prevent rupture of the interchanger resulting in 
Loss of All Cooling 

3 

1.0 

3.9 

1.3E-04 

(1:7600) 

Flow Control Valve (FCV) poppet failure causes rupture in the GH2 re- 
pressurization line 

4 

0.9 

4.8 

1.3E-04 

(1:7900) 

Auxiliary Power Unit (APU) external leak on entry 

5 

0.8 

5.6 

1.1E-04 

(1:8900) 

Common cause failure of the APU System on entry 

6 

0.8 

6.4 

1.1E-04 

(1:8900) 

Reaction Control System (RCS) thrusters burnthrough on orbit 

7 

0.7 

7.1 

1.0E-04 

(1:9700) 

Power Reactant Storage and Distribution (PRSD) tank rupture 

8 

0.7 

7.8 

9.4E-05 

(1:11000) 

Common cause failure of the Electrical Power System (EPS) on orbit 

9 

0.7 

8.5 

9.3E-05 

(1:11000) 

Flight control surface (elevons, rudder, body flap) actuators fail/jam during 
entry 

10 

0.7 

9.2 

9.2E-05 

(1:11000) 

Debonding of TPS during ascent 
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STS- 133 ORBITER HARDWARE/SOFTWARE RESULTS 
(5 th 1:550, Mean 1:370, 95 th 1:250) 



Rank 

% of Total 

Cumulative 

Total 

Probability 

(1/n) 

Description 

1 

2.0 

2.0 

2.3E-04 
(1 :4400) 

Orbiter Flight Software error result in catastrophic failure during ascent 

2 

1.6 

3.6 

1.8E-04 
(1 :5600) 

Ammonia Boiler System (ABS) isolation valve leaks on Orbit overcooling the H20 
loops and crew is unable to prevent rupture of the interchanger resulting in 
Loss of All Cooling 

3 

1.2 

4.8 

1.3E-04 
(1 :7600) 

Flow Control Valve (FCV) poppet failure causes rupture in the GH2 re- 
pressurization line 

4 

1.1 

5.9 

1.3E-04 
(1 :7900) 

Auxiliary Power Unit (APU) external leak on entry 

5 

1.0 

6.9 

1.1E-04 

(1:8900) 

Reaction Control System (RCS) thrusters burnthrough on orbit 

6 

0.9 

7.8 

1.0E-04 

(1:9700) 

Power Reactant Storage and Distribution (PRSD) tank rupture 

7 

0.8 

8.6 

9.4E-05 

(1:11000) 

Common cause failure of the Electrical Power System (EPS) on orbit 

8 

0.8 

9.4 

9.3E-05 

(1:11000) 

Flight control surface (elevons, rudder, body flap) actuators fail/jam during 
entry 

9 

0.8 

10.2 

9.1E-05 

(1:11000) 

Common cause failure of the APU System on entry 

10 

0.8 

11.0 

8.4E-05 

(1:12000) 

Control or mechanical failure causes Main Propulsion System (MPS) prevalves 
to fail to close 
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EXAMPLES FUNCTIONAL DATA CHANGES 



Index 

ST5-1 

STS-51L 

SIS-26 

SIS-49 

srs-iio 

STS- 114 

sms- 121 

Iter 3.2 


act_120a 

8.75E-06: Power Spool that Sums (combines) hydraulic 
force from individual systems/control valves to drive 
the Primary Actuator, jams 

8.75E-06: &75E-06 &75E-06 




2.8LE-06 

Bayesian. Credit for design change 
beginning STS-1Q1 

act 320j 

7.77E-06:The Hydraulic Ram - muscle - that moves the 
Elevons, SSME TVC pitch & yaw, & Landi ng Gear 

7./7E-06: 7.77E-06 7.77E-06 




5.50E-06 

Bayesian. Credit for added test begi nni ng 
STS-91 

apu 284a 

2.13E-Q3:MPU fails low 

2.13E-Q3: 

Z13E-Q3 Z 13E-03 




4.86E-04 

Bayesian. Credit for manufacturing, 
design and vander change beginning STS- 
82 

apu-289a 

1.41E-Q3: APU fails to start 

1.41E-Q3: 

L41E-Q3 L41E-03 

L41E-Q3: 

L41E-03: L41E-03 

6.60E-04 

Bayesian. Heater added to GN2 QD 
beginningSTS-124 

apu 314a 

4.36E-Q3: APU Fails to Run 

3.49E-03 

1 

3.49E-03 

r i 

;3.49E-03 




1.76E-Q3 

Bayesian. Credit for dean room 
procedures beginning STS-80 

duct_UQx 

1.27E-CB: IAPU Exhaust Leak 

Repurposed to APU Shaft Seal failure prior to IAPU 

1.27E-04: 

1.2/E -04 





1.95E-06 

IAPU exhaust leak prior to SI5-47 was 
repurposed. APUShaftSeal failure with 
process improvements fol lowing STS-9, 
and redesigned injector tube beginning 
STS61-C 

atcs-441 

5.93E-03: Icicle Forms from Water Dump 

Nozzle redesigned after 2ft icide forms durringSTS 41-D 







2.37E-Q3 

Water dump nozzle redesigned after STS 
41-D (2ft iade) 

eco-wet 

4.14E-03: Engine Cut-Off sensor fails Wet 

Source does not indude 1st 6flights due to redesign of 

sensor wiring. 







4.14E-04 

ECO sensor wiring redesigned beginning 
STS-7 

flt_100r 

2.90E-0S: OMS Engine Restricted flow 

... 




... 

... 

1.56E-0S 

Bayesian. Contamination on ST5-L 

flt_110f 

4.38E-07: FCL filter plugged 

4.38E-07: 

4.38E-07 3.82E-07 




2.16E-07 

Bayesian. Anti-contamination procedures 
and design changes beginning ST5-4L 
Braze procedure changes begi nni ngSTS- 
110 

eps-7e 

2.78E-0S: Fuel cell fails to run (produce power) 

2.78E-0S: 

Z78E-05 Z78E-05 




2.22E-0S 

Bayesian. Instrumentation added to 
provide insight beginning STS-84 


Note: ... means it is equal to SPRA iteration 3.3 
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EXAMPLES FUNCTIONAL DATA CHANGES (2) 



Index 

SIS-1 

STS-51L 

SIS- 26 

SIS- 49 

SI5-110 

STS-114 

STS- 121 

Iter 3.2 


eps-8e 

8.64E-06: Phe nomen logical failure of fuel cell 

8.64E-06: 






7.56E-06 

Bayesian. Changes in design beginning 
STS-26 

gbx 110a 

6.58E-Q6: Rotary ActuatorJams 

6.58E-06: 

6.58E-06 6.58E-06 

6.58E-06 



3.70E-06 

Bayesian. Corrective action taken after 
gears found to be installed reversed 
beginning SIS- 114 

gyro_103r 6.46E-06: Loss of Output from Orbiter Rate Gyro Assy 

6.46E-06: 

6.46E-06 





9.86E-07 

Bayesian. Design change beginning STS- 
32 

7.Q9E-06: Loss of Output from Inertial Measurement 
gyro_105t Unit ( IMU) (3 Gyros + 2 Accelerometers) 

7.Q9E-06: 

7.Q9E-06 7.09E-06 

5.73E-06 



4.97E-06 

Bayesian. Design and manufacturing 
changes beginning SIS-1Q9 

htr_140a 

3.20E-05: Electrical resistance heater. APU heaterfails 
on. 

3.20E-Q5: 

3.20E-Q5 





1.69E-0S 

Bayesian. Design changes beginning STS- 
41 

lds_826 

2.20E-06: Failure of 1 of 4 MLG tires due to FOD 
PriortoSTS51-L54% landings at lakebed vs 7% 
afterward 

2.20E-06: 






2.20E-07 

Lakebed landings reduced from 54% to 
7% beginning STS-26 

lgr-035 

1.0QE-04: Lockup of 1 of 4 brakes due to structural failure 
Brake material changed from Beryllium to Carbon 
beginning with SI5-31 

1.00E-04: 

1.00E-04 





l.OOE-OS 

Brake material changed from Beryllium to 
Carbon beginning with STS-31 

lds-371 

0.00E00: Drag chute dooropens prematurely 
No drag chute prior to STS-49 

O.OOEOQ: 

O.OOEOQ 

2.17E-QZ 




1.49E-0B 

No drag chute prior to STS-«. Door pin 
changed from Aluminum to Inconnel 
after ST5-95 

lds-372 

O.OOEOQ Drag chute dooropens prematurely 
No drag chute prior to STS-49 

O.OOEOQ: 

O.OOEOQ 

1.11E-02 




7.58E-04 

No drag chute prior to STS-«. Door pin 
changed from Aluminum to Inconnel 
after STS-95 

lds-381 

O.OOEOQ Cond prob drag chute door failure leads to 
LOCV 

No drag chute prior to STS-49 

O.OOEOQ: 

O.OOEOQ 





1.78E-GB 

No drag chute prior to STS-« 

lds-382 

O.OOEOQ: Cond prob drag chute door failure leads to 
LOCV 

No drag chute prior to STS-49 

O.OOEOQ: 

O.OOEOQ: 





1.33E-GB 

No drag ch ute prior to SIS-4T 


Note: ... means it is equal to SPRA iteration 3.3 
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EXAMPLES FUNCTIONAL DATA CHANGES (3) 



Index 

STS-1 

STS-51L 

STS-26 

STS- 49 

STS- 110 

STS- 114 

STS- 121 

Iter 3.2 


mech-800 

8.91E-06: Electromechanical actuator fails to actuate 

7.77E-06: 7.77E-06 7.77E-06 

7.77E-06: 



5.59E-06 

Bayesian. Venderand procedure changes 
beginning STS 41-B. Procedure changes 
beginning STS 51-G. Design and 
procedure changes beginning STS- 114 

mdmlOl 

4.66E-0S: Surrogate mean based on All failures for 5xxx 
type card, the predominant type in service STS-1 thru 
STS-9 







L48E-Q5 

6xxx series MDM becomes dominant 
beginning STS 41-B 

mdmlOl 

6.87E-06: General Purpose Computer fails. Based on All 
failures for 6xxx MDM 

6.60E-O6: 6.69E-06 





189E-06 

Bayesian. Prior based on 5xxx series MDM 
before STS 41-B. Updated GPC design 
beginning STS-43 

2.91E-06: DPS MDM MIA Fails, from MDM report 2007 
mdm_110 Adjusted for 5xxx, ST5-1 thru STS-9 







9.26E-07 

6xxx series MDM becomes dominant 
beginning STS 41-B 

mdm_in 

2.91E-06: Surrogate mean based on DPS MDM MIA Fails, 

from MDM report 2007 

Adjusted for 5xxx, STS-lthru STS-9 







9.26E-07 

6xxx series MDM becomes dominant 
beginning STS 41-B 

mdm_lll 

2.30E-07: Backup Flight Controller fails. Based on All 
failures for 6xxx MDM 







L96E-Q7 

6xxx series MDM becomes dominant 
beginning STS 41-B 

5.51E-06: DPS MDM Input/Output Module Fails, from 
MDM report 2007 

mdm_120 Adjusted for 5xxx, STS-lthru STS-9 







L76E-06 

6xxx series MDM becomes dominant 
beginning STS 41-B 

mdm_121 

5.51E-06: Surrogate mean based on DPS MDM 
Input/Output Module Fails, from MDM report 2007 
Adjusted for 5xxx, STS-lthru STS-9 







L76E-06 

6xxx series MDM becomes dominant 
beginning STS 41-B 

mdm_121 

1.10E-05: DPS Pulse Code Master Modulator Unit Fails. 
Based on IOM from MDM report 2007 







9.7OE-06 

6xxx series MDM becomes dominant 
beginning STS 41-B 

mdm_121 

5.0BE-06: Flight control channel fails. Based on IOM from 
MDM report 2007 







4.72E-06 

6xxx series MDM becomes dominant 
beginning STS 41-B 

mdm_130 

1.09E-0S: DPS MDM SCU Fails, from MDM report 2007 
Adjusted for 5xxx, STS-lthru STS-9 







3.47E-06 

6xxx series MDM becomes dominant 
beginning STS 41-B 


Note: ... means it is equal to SPRA iteration 3.3 
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EXAMPLES FUNCTIONAL DATA CHANGES (4) 



Index 

STS1 

STS-51L 

STS 26 

SES 49 

STS- 110 

STS- 114 

STS 121 

Iter 3.2 


mdm_140 

9.45E 06: DPS MDM Power Supply Fails, from MDM 
report 2007 

Adjusted for 5xxx, STS1 thru STS-9 







3.01E-06 

6xxx series MDM becomes dominant 
beginning SIS 41- B 

mdm_141 

9 .45E 06: Surrogate mean based on DPS MDM Power 
Supply Fails, from MDM report 2007 
Adjusted for Sxxx, STS-1 thru STS-9 







3.01E-06 

Sxxx series MDM becomes dominant 
begi n n i ng STS 41- B 

mdm_141 

3.75E OS: Flight control ASA, A7VC Box fails 







2.96E-05 

Sxxx series MDM becomes dominant 
beginning STS 41-B 

pip 210h 

L91E-06: Hydraulic Flex Hose leak 

L91E 06: 1.91E 06 L91E 06 




1.11E-06 

Bayesian. Procedure changes beginnir^ 
STS 77 

L28E 03: Main Hydraulic Pump, fails Id start 
pmpJLOOf Solenoid controlled swash plate jams 

L28EQ3: 

1.28E-Q3 1.28E 03 




8.Z7E04 

Bayesian. Design changes beginning STS- 
73 

rad 100 

L12E-Q3: Microwave RedeverTransmitter.TACAN 
Tactical Air Nav 

Gould TACAN for STS1 thru STS 45 

L1ZE 03: 

1.12E-Q3 





2.63E-04 

Gould TACAN for STS 1 thru STS45 

regJUOr 

6.0GE-06: Gas regulator, fails closed 

6.00E 06: 6.00E 06 





1.67E-06 

Bayesian. Design and maintenance 
changes beginning STS 27. Production 
process changed starting STS 28 

reg_120m 

7.23E-05: Gas regulator, fails open [High] 

7.23E-0S: 

5.23E-0S 





4.11E-05 

Bayesian. Bellows redesign beginning STS 
26. Brazing process changed starting STS 
28 

res 230 

8. 10E-Q3: RCS primary thruster, fails to fire 

8l10E-03: 

8.10E-03 ft 10E-Q3 

4.36E-Q3: 



3.38E-03 

Bayesian. Nitrate contamination flushing 
beginning STS-78. Teflon extrusion 
procedures beginning STS-114 

res 243 

L50E-Q5: RCS primary thruster, leaks 

150E05: 

1.50E-05 L50E-0S 




6.90E-06 

Bayesian. Nitrate contamination flushing 
beginning STS 78 

RSRMCAT 

Z00E-Q2: RSRM Catastrophic Failure (Mainstage) 
STS-1 thru STS 51L (demonstrated) 

ZOOE-QZ 






3Z7E04 

RSRM redesigned beginning STS26 


Note: ... means it is equal to SPRA iteration 3.3 
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EXAMPLES FUNCTIONAL DATA CHANGES (5) 



Index 

STS-1 

STS-51L 

STS-26 STS-49 

STS- 110 

STS- 114 

SIS- 121 

Iter 3.2 


SRBFBSMTHRT 

4.78E-03: SRB Fwd BSM Axial Crack occurs in Graphite 
Throat 

4.78E-Q3: 

4.78E-03 4.78E-03: 

3.18E-Q3: 

3.18F-03 

3.18E-Q3 

2.39E-Q3 

Bayesian. Cou nt crack in th roat CAR 
discounted as 0.5 beginning STS- 108 and 
as 0.25 beginning STS-122 

SRBLPLK 

3.18E-Q9: SRB APU low press hydrazine leak 

3.18E-Q9: 

3.18E-QS 3.18E-09: 

3.18E-09: 

3.18E-09 

3.18E-Q9 

2.20E-10 


SRBHPHDZLK 

7.26E-Q5: SRB APU high press hydrazine leak 

1.Q2E-07: 

1.Q2E-07 1.Q2E-07: 

1.Q2E-07: 

1.Q2E-07 

1.Q2E-07 

2.49E-08 


SSMECAT 

9.65E-04: SSME Catastrophic Failure 

2.73E-Q3: 

1.28E-Q3 1.28E-03 

5.57E-04: 

5.57E-04 

5.57E-04 

4.99E-04 

SSME estimates obtained for FMOE, FPL 
{Block I/IA& Block IIA pending). Block II, 
and Block II w/AHMS 

SSMECAT-A 

1.11E-Q3: SSME Catastrophic Failure - ATO 

3.15E-Q3: 

1.47E-Q3 1.47E-Q3 

6.43E-04: 

6.43E-04 

6.43E-04 

5.75E-04 

SSME estimates obtained for FMOE, FPL 
{Block I/IA& Block IIA pending). Block II, 
and Block II w/AHMS 

SSMECAT-P 

9.4/F-04: SSME Catastrophic Failure - PTM 

2.68E-G3: 

1.25E-03 1.25E-03: 

s 

LLJ 

5= 

1^5 

5.47E-04 

5.47E-04 

4.83E-04 

SSME estimates obtained for FMOE, FPL 
(Block I/IA& Block IIA pending). Block II, 
and Block II w/AHMS 

SSMECAT-R 

1.39E-03: SSME Catastrophic Failure - RT1S 

3.94E-03: 

1.84E-03 1.84E-Q3 

8.04E-04: 

8.04E-04 

8.04F-04 

7.19E-04 

SSME estimates obtained for FMOE, FPL 
(Block l/IA & Block IIA pending). Block II, 
and Block II w/AHMS 

SSMECAT-T 

1.23E-Q3: SSME Catastrophic Failure -TAL 

3.47E-Q3: 

1.62E-Q3 1.62E-G3 

7.07E-04: 

7.07E-04 

7.07E-04 

6.33E-04 

SSME estimates obtained for FMOE, FPL 
(Block I/IA& Block IIA pending). Block II, 
and Block II w/AHMS 

SSMESHDN 

7.61E-Q3: SSME Benign Shutdown Occur 

8.67E-Q3: 

2.41E-Q3 2.41E-Q3: 

1.01E-Q3: 

1.01E-Q3 

1.01E-(B 

1.06E-CB 

SSME estimates obtained for FMOE, FPL 
{Block I/IA& Block IIA pending). Block II, 
and Block II w/AHMS 

SSMESHDN-A 

8.78E-Q3: SSME Benign Shutdown - ATO 

1.00E-02: 

2.78E-Q3 2.78E-Q3 

1.16E-03: 

1.16F-Q3 

1.16E-03 

1.14E-03 

SSME estimates obtained for FMOE, FPL 
(Block I/IA& Block IIA pending). Block II, 
and Block II w/AHMS 

SSMESHDN-P 

7.47E-Q3: SSME Benign Shutdown - PTM 

8.50E-G3: 

2.36E-Q3 2.36E-Q3: 

9.89E-04: 

9.89E-04 

9.89E-04 

1.04E-Q3 

SSME estimates obtained for FMOE, FPL 
(Block I/IA& Block IIA pending). Block II, 
and Block II w/AHMS 


Note: ... means it is equal to SPRA iteration 3.3 
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EXAMPLES FUNCTIONAL DATA CHANGES (6) 



Index 

STS1 

STS51L 

ST5-26 

STS-49 

ST5-110 

STS-114 

STS-121 

Iter 3.2 


SSMESHDN-R 

HOC 02: SSME Benign Shutdown RTTS 

1.25E-Q2 

3.47E-03 

3.47E-03 

1.45E-03 

1.45E-03 

145E-G2 

1.27E4B 

SSME estimates obtained for FMOE, FPL, {Block 
l/IA & Block IIA pending). Block II, and Block II 
w/AHMS 

SSMESHDNT 

9.G6E 03: SSME Benign Shutdown TAL 

1.10E-Q2 

3.06E 03 3.06E-03 

1.28E-03 

1.28E-03 

128E4E 

1.2QE-Q3 

SSME estimates obtained for FMOE, FPL, (Block 
l/IA & Block IIA pending). Block II, and Block II 
w/AHMS 

swf-ab 

4.32E-03: 01-01 Flight software fails on Abort 

252E-Q3 

1.81E-03 

120E-03 

6.25E-04 



5.42E-04 

Flight software changes between most flight 
intervals 

swf-asc 

1.80E-Q3: 01-01 Flight software fails on Ascent 

105E4B 

7.54E-04 4.99E-04 2.80E-O4 



2.26E-04 

Flight software changes between most flight 
intervals 

swf-orb 

1.79ETT4: OI-OlFlight software fails on Oibit 

1Q5E-04 

7.53E-Q5 

4.98E-Q5 

2.S0E-Q5 



2.26E4B 

Flight software changes between most flight 
intervals 

swf-ent 

4.48E-04: 014)1 Flight software fails on Entry 

262E-04 

1.88E-04 

125E-04: 6.48E-05 



5.ffiE4K 

Flight software changes between most flight 
intervals 

100C0G Crew Rescue Fails, No rescue prior to STS 
cscs 114 

iooeoq 

l.OOEOQ 

l.OOEOQ 

l.OOEOQ 

2.00E-01 ... 

1.69E4)1 

NoCrew Rescue prior to STS-114, 3.2 value used 
beginning STS 121 

l.OOEOQ Percentage of nose damage that goes 
undetected during FD2 inspection, N/A prior to STS 
FD2_NOSE_TI 114 

l.OOEOQ 

l.OOEOQ 

l.OOEOQ 

l.OOEOQ 

1.00E-01 


1.00E03 

No Inspection prior to STS 114, 3.2 value used 
beginning STS 121 

RPR-NOAX 

l.OOEOQ TPS - NOAX Repair Fails, None prior to STS 
114 

l.OOEOQ 

l.OOEOQ 

l.OOEOQ 

l.OOEOQ 



1.00E-01 

No Repair prior to STS-114, 3.2 value used 
beginning STS-121 

RPR-PLUG 

l.OOEOQ TPS - Plug Repair Fails, None prior to STS 
114 

l.OOEOQ 

l.OOEOQ 

l.OOEOQ 

l.OOEOQ 

3.00E-01 


2.50E-01 

No Repair prior to STS-114, 3.2 value used 
beginning STS-121 

tps-lg-E 

l.OOEOQ TPS - Large Tile Repair Failure on Entry, 
None prior to ST5-114 

l.OOEOQ 

l.OOEOQ 

l.OOEOQ 

l.OOEOQ 

3.00E-01 


1.25E-01 

No Repair prior to STS-114, 3.2 value used 
beginning STS-121 

tps-lg-0 

l.OOEOQ TPS - large Tile Repair Failure on Orbit, 
None prior to STS114 

l.OOEOQ 

l.OOEOQ 

l.OOEOQ 

l.OOEOQ 

5.00E-01 


5.56E-Q2 

No Repair prior to STS-114, 3.2 value used 
beginning STS-121 

ad^ wash 

3.83E 03: Critical tile damage on ascent and 
emittance wash repair fails 

3.83E-0B: 3.83E-Q3 

664E-Q5 

6.64E05 6.G4E 05 


1.77E4K 

Asoent debris mitigations beginning STS- 29 and 
STS 121 


Note: ... means it is equal to SPRA iteration 3.3 
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EXAMPLES FUNCTIONAL DATA CHANGES (7) 



Index 

STS1 

STS-51L 

STS-26 

STS-49 

STS^llO 

STS-114 

STS 121 

Iter 3.2 


ad-t-rad 

1.16E 02: Critical tile damage repaired requiring large 
area repair (t rad or overlay) 

1.16E-02 

1.16E-023.00E-03 

U> 

1 

1 


168E08 

Ascent debris mitigations beginning STS- 
29 and STS-121 

ad-undet 

2.71E04: Undetected critical tile damage occurs on 
ascent 

2.71E-04 

2.71E-04 7.01E-05 

7.WE-Q5: 

7.04E-05 


1S7E06 

Ascent debris mitigations beginning STS- 
29 and STS421 

ad-tal 

1.55E-Q2: Critical tile damage during TAL 

1.55E-02 

1.55E-024.15E-03 

4.15ETB:415E-(B 


195E08 

Ascent debris mitigations beginning STS- 
29 and STS-121 

ad roc 

4.76E Q2: Three times Historical RCC damage probability 
(3x1126) 

x2 since model will divide by two 

4.76E-02 

4.76E-Q2 1.59E-02 

1.50E-Q2: 159E-Q2 


7.94E 03 

Ascent debris mitigations beginning STS- 
29 and ST3-121 

vIp lOOp 

9.L9E05: M’S Prevalve, fails to operate 







246E05 

Bayesian. Debris screen added beginning 
STS8 

vlr 130m 

2.09E-06: Pneumatic relief valve fails open 

2.Q9E-06 

2.09E-06 





Bayesian. Contamination procedures 
192E-06 added beginning STS-36 

vlsJOOe 

2.63E-04: Brake Extend valve, fails to operate (LV11, 
LV42) 

2.63E-04 

2.63E 042.63C 04 

... 



204E04 

Bayesian. Contamination prevention 
beginning STS68 


Note: ... means it is equal to SPRA iteration 3.3 
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SSME CONFIGURATIONS 


First Manned 

Orbital Flight Full Power Level 


Phase II 

Retum-to- Flight Block I 


Block I A 


Block II A 


Block II 









■ Base Line 
Engine 

■ First Flight 


■ Powerhead/ 

Ducts 

- HGM Fuel Bowl Liner Mods 

- Lox Post Support pins in 
FPB 

- New Flow Meter 
Straightener 

- LOX Post shields 

■ HPFTP 

- Kel-F Seals 

- Replaces stepped 
Interstage seals with 
smooth 

- Increased clearance 
turbine blade clearance to 
tip seal 

■ HPOTP 

- Housingmaterialchanged 
(INCO 903) 

■ LPFTP 

- Revi sed b locki ng area 

• LPOTP 

- Turbine discharge tuning 
vane mod 

• Avionics 

■ Nozzle 

- Increased tube wall 
thickness 

- Added steam loop 

■ First Flight STS-6 


HPFTP 

Shot peened Fi r T rees 

Large Coolant Discharge . 

Orifices 

HPOTP 

Bearirg Changes 

Damping Seals 

Two Piece Dampers 

MCC 

EDNi Reinforced Cutlet 
Neck 

Burst Diaphragm Drain line 

HPF Duct He Barrier 


Phase 11+ Power 
head (Two Duct) 
Single Tube HEX 
HPOTP/ AT 
Thermocouples 
First Flight 
STS- 70 


Avionics/ Valves 

Increased Strength MFV 
Housing 

Anti -Back lash Couplings 
Potted Wi reways 
Tight Stack 6CV 
Modified Pressure Sensor 
Cavity 

Improved Hot-Sas 
temperature Sensor 
Spark Igniter Case 
Structural Improvements 
4k Hz Monitor 
Skin Temp Sensor added to 
Anti -flood Valve 


First Flight 
STS-26R 


Main Injector 
Modifications 
Programmed 
Secondary 
Faceplate 
Coolant Holes 
First Flight 
STS -73 


■ Large Throat 
MCC 

- Cast In let/ Out let 
Elbows 

■ 20 Hole Fuel 
Sleeves 

■ Block II LPOTP 

■ Block II LPFTP 

■ A-Cal Software 

■ Actuator Spool 
Material 
Improvement 

■ Filtered Check 
valves 

■ Pressure Sensor 
Improvements 

■ First Flight 


HPFTP/ AT 
Main Fuel 
Valve 

Non integral 

Spark 

Igniter 


STS- 89 


Opened BLC 
holes to minimize 
for faceplate 
erosion sts-94 


Rocketdyne 
Propulsion & Power 


1964-03B.pptl1 9/30/99 
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